As a former pentester, I would say companies do not spend too much on focusing on security (even some of them just rely ONLY on posting bounties on HackerOne)...
Cuz it's 1000x easier to "find one vulnerability" (from a pentester point of view) than "covering all vulnerabilities" (from a developer point of view).
It just costs a lot more to hire pentesters than just wait to discover it later and mitigate.
Yes, there will be consequences, but they're just temporary (as we saw with Facebook).
Ah, I didn't mention that those consequences are just a side-effect of growing too big
If pentesting and compliance/auditing cost more than the value at risk from a breach then most organizations will choose to roll the dice. So either we make security cheaper or the consequences more expensive if we want change.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
As a former pentester, I would say companies do not spend too much on focusing on security (even some of them just rely ONLY on posting bounties on HackerOne)...
Cuz it's 1000x easier to "find one vulnerability" (from a pentester point of view) than "covering all vulnerabilities" (from a developer point of view).
It just costs a lot more to hire pentesters than just wait to discover it later and mitigate.
Yes, there will be consequences, but they're just temporary (as we saw with Facebook).
Ah, I didn't mention that those consequences are just a side-effect of growing too big
If pentesting and compliance/auditing cost more than the value at risk from a breach then most organizations will choose to roll the dice. So either we make security cheaper or the consequences more expensive if we want change.