"Most Orgs Would Take Security Bugs Over Ethical Hacking Help"

Security researchers at HackerOne have conducted a survey and found that enterprises are putting greater stock in cybersecurity, but outdated “security by obscurity” is still prevailing as companies wrestle with security awareness and shy away from bug-bounty programs.  Of the participants, 65 percent of the organizations claimed that they “want to be seen as infallible.” However, just as many, 64 percent, said they practice a culture of security through obscurity, where secrecy is used as the primary method of protecting sensitive systems and assets.  When it comes to what’s actually happening on the ground inside organizations, the researchers stated that 57 percent of respondents said that they struggle to create a culture of cybersecurity, and only 26 percent are “very confident” that staff are following security practices.  Worse, only 12 percent of departments outside of security and IT make cyber-awareness and training a core focus, according to the survey.  About 63 percent of the participants said they’ve had a security breach due to staff sidestepping security measures.  The researchers stated that some of the issues come from the top.  Only 29 percent of boards are “deeply involved” in cybersecurity strategy, and 65 percent said that the idea that security slows innovation is telegraphed to them.  The researchers also found that 38 percent of respondents agreed that their organizations “aren’t open about their cybersecurity practices.”  Many major corporations now have bug-bounty programs to help them discover zero-day vulnerabilities early.  However, this new survey data shows that not everyone is on board, suggesting that not all security professionals are open to outside scrutiny.  The researchers found that 67 percent of respondents said they “would rather accept software vulnerabilities than work with hackers.”  The researchers noted that ethical hackers are often dissuaded from reporting vulnerabilities to vendors because they’re so often ignored or outright attacked for doing so.  Half of the ethical hackers surveyed “have not disclosed a bug because of a previous negative experience or lack of channels through which to report.

Threatpost reports: "Most Orgs Would Take Security Bugs Over Ethical Hacking Help"