Bug Bounty Programs: The Low-Down

The global software industry is massive. Enterprise software alone is predicted to be worth $500 billion a year by 2022. Unless we live entirely off-grid, every part of our lives and work is touched by software.

And like taxes and death, one thing you can be sure of is that software contains bugs. The commercial life cycle for software is such that you need to get software out to market quickly. First-come is first-served in an industry where innovation turns on the head of a needle.

Fast-to-market software means that the industry has had to develop new ways to speed up the development cycle. Agile development techniques and the use of automation in the test part of the development cycle have helped to speed up the time to market. But software bugs seem to never end: You fix one, only to introduce another. If you check out CVE Details data source, which lists the number of recorded software vulnerabilities going back to 1999, you can see that the number of software bugs per year keeps on growing. In 2017, there were 14,714 recorded bugs. To mid-November 2018, this number was 14,917.

Keeping up with testing software is a big job. Even production releases of software have bugs in them — as anyone running operating system software will attest. Microsoft Windows and Mac OS, for example, have regular software updates which are pushed out to anyone running a device with those operating systems installed. Microsoft’s “Patch Tuesday” has even entered the common language of computer users across the world. And while bugs come in all shapes and sizes, some of the most impactful are the security bugs.

It is to this end that the idea of using a bug bounty program to help to test software has become an industry (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Susan Morrow. Read the original post at: