Comment by spacebanana7

There's an interesting economic contest here as well - is it more sustainable for a malware group to spend $500 in tokens looking for an issue in my app? or for me to spend $500 scanning for issues on every deployment?

Systemically this usually favours the offence, as they could scan my app once every 6 months whereas I'd need to do it on weekly releases.