A Developer Attitudes to Vulnerabilities
Why companies don’t always fix vulnerabilities? Of course some critical vulnerabilities which really seem critical are fixed right away, but there are some types of vulnerabilities which seem to be not critical for developers but in fact, they are.
The answer is pretty simple – because it doesn’t hurt enough.
Another question arises, what is the propose of information security? Of course to help the business succeed. Anyone who works in this area should understand this. This will help avoid problems in the future.
The Impact
In the information security world, we have vulnerabilities which are not taken seriously. DoS is one of them.
Just imagine the situation when a Bugcrowd hacker found a vulnerability which allows DoS attack, how the issue should be prioritized then?
If a real DoS didn’t happen, some developers would say that we won’t fix it right away, we are very busy with our own tasks, but then a real DoS is happening and what next?
You would not want to be on the side of the person who made this decision.
How much will it cost to the business if the website or application is down for 1 hour? For a day? … you understand what I mean.
How DoS vulnerabilities should be prioritized:
- As IM (P0) with critical severity obviously if the real DoS happened.
- As P1 with critical severity if the vulnerability exists, but it’s only a thread. No real DoS happened.
In a common situation, developers do not understand point number 2 and don’t take the vulnerability seriously. Then real DoS is happening.
Conculsion
Do not bring it up to the incident. Prioritize vulnerabilities based on the security risk to the business – OWASP Risk Rating Methodology. And almost, in any case, vulnerabilities which allow DoS attack should have high priority and critical severity.