13 Mar
2024
8
min read

With all the tools people have at their disposal, why do issues still get through?

People test in layers. You have your static code analysis at the top, then DAST scanning if you have it. After this most businesses have a pen tester, and then you have your bug bounty. With this multi-layered approach to security, why do issues still get through and vulnerabilities still take place?

Sian-Louise Montgomery
Marketing Consultant

People test in layers. You have your static code analysis at the top, then DAST scanning if you have it. After this most businesses have a pen tester, and then you have your bug bounty.

What we've seen over the years is that despite having all of these various different layers, vulnerabilities are still getting through to production. With this multi-layered approach to security, why do issues still get through? Well, there are arguably a few core reasons for this.

One of the first reasons is that the approach assumes that all development happens in a linear way. It assumes that everything goes from inception right through to delivery via a standard process that is always exactly the same. This just isn't the reality. Hot fixes occur, people introduce new pieces of functionality through specific teams or through third party integrations that may not have passed through the same level of diligence.

People even assume that things go from code to production in a very linear fashion. There is sometimes an assumption that every change that occurs within a business is going to go through this rigid Point A, Point B, Point C then production process and that, by having this regimented process, everything is going to be tested and all vulnerabilities will be detected. This is not the reality across the development space and its not the reality across engineering.

Again, hot fixes occur, third party integrations take place, or some other change takes place which could be a vulnerability being published in the wild. That is not going to go through your staging to production environment and is therefore still going to introduce a vulnerability.

For this reason, you need to be able to look on a change by change basis, address how vulnerabilities are getting into your system, and be dynamic about the way that you approach testing for those vulnerabilities to be able to effectively identify them in a reliable way.

bug report

Get a Free Trial  From Cytix

Haven’t tried Cytix yet? Try our free trial to see how it works.

Get a Free Trial

Start Detecting Vulnerabilities Others Miss Today

  • Detect Vulnerabilities Faster
  • Patch Vulnerabilities Faster
  • Be more compliant
Learn More
business
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.