Eight reasons why website vulnerabilities are not fixed

Opinion by draywood

Founder and CTO of WhiteHat Security, Jeremiah Grossman has offered ‘some reasons I've heard over the years’. In no particular order:

1 No one at...

Founder and CTO of WhiteHat Security, Jeremiah Grossman has offered ‘some reasons I've heard over the years’. In no particular order:

1 No one at the organisation understands or is responsible for maintaining the code.

2 Features are prioritised ahead of security fixes.

3 Affected code is owned by an unresponsive third-party vendor.

4 Website will be decommissioned replaced "soon".

5 Risk of exploitation is accepted.

6 Solution conflicts with business use case.

7 Compliance does not require it.

8 No one at the organisation knows about, understands, or respects the issue.

Grossman also asked for further contributions, which came in as follows:

1 Lack of prioritisation of the issues

2 More security scanning solutions are too expensive

3 Organisation ignored AppSec Consulting Service's industry best practice recommendation and tried to fix it their own way

4 Vulnerabilities are misunderstood

5  IT managers lose kickbacks from security software providers if they patch every hole

 6 There is no budget to fix the holes

 7 'It’s always been done this way'

8  No one asked us to change it for last 50 products we developed with same code, why you now!?

 9 No one will hack our product/site (its always others)!

More at: http://jeremiahgrossman.blogspot.com/

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events