“Gartner Listed - mobile application security guide”

October 7, 2016

Bug bounty programs are adding to the problem

The rise of bug bounties has replaced mobile app security testing as a method for finding vulnerabilities in code across the client and backend.

Veracode and Wakefield’s research points to companies becoming too reliant on bug bounties as a counter-measure against secure coding. The cost to companies to fix vulnerabilities found in bug bounty programs is higher, with 59% of respondents reporting that this requires greater resources compared to instituting secure coding during the development phase. This is creating endemic risk with 83% of survey respondents admitting to releasing code without testing and fixing vulnerabilities and security issues. This sees many companies forgoing mobile app security testing prior to release.

The research indicates the costs of ignoring mobile app security testing during development. About 44% of companies spent more than one million dollars on bug bounties, even though 79% agreed that it is more efficient to fix these issues early in the development process. A third of the companies admitted to taking services from bug bounty programs.

Tech giants such as Apple and Google have jumped on the bandwagon with their own bug bounty programs. The downsides of bug bounty programs are numerous since these programs focus on those applications that are public this only exposes risks encountered by users for months or years. Still, 77% admitted to relying on such programs, even though 93% of them thought that a majority of flaws discovered could have been avoided during the development phase with mobile app security testing.

This research makes it clear that businesses need to bring mobile app security testing earlier into the process and follow a ‘test early, test often’ approach to securing their software prior to release.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing  try out Codified Security.