hackers vs. testers: a comparison of software …dvotipka/posters/hackers...15 hackers and 10...

1
Participants were asked to complete a cognitive task analysis of their vulnerability discovery process. Also asked to discuss tools used, skills needed, and communities they are members of. 15 hackers and 10 testers recruited through bug bounty platforms, related interest groups, and hacking teams Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes Daniel Votipka, Rock Stevens, Elissa M. Redmiles, Jeremy Hu, and Michelle L. Mazurek University of Maryland, Maryland Cybersecurity Center cyber.umd.edu Research Questions How do hackers and testers search for software vulnerabilities? What are the differences between hackers and testers? Populations Testers: Bug finding generalists. Search for functionality, performance, and security bugs. The most important difference observed between hackers and testers was the variety of experience. Interview Study Vulnerability Discovery Process 1. Provide a variety of training in known contexts Security champions Bug report-based exercises 2. Improve communication between hackers and companies Establish single point of contact Develop advocacy training and resources for hackers 3. Consider alternate compensation methods to match different motivations Adjust payout structure as security posture matures Use non-monetary motivators Recommendations Hackers: Security specialists. Members of internal security team, contracted review, or bug bounty. Challenges: - Timeliness - Cognitive Diversity - Communication Discovery Lifecycle Tester groups: Hacker groups: Info Gathering Program Understanding Attack Surface Exploration Vulnerability Recognition Reporting Vulnerability Discovery Experience Access to Development Process Underlying System Knowledge Motivation Key Difference Vulnerability Discovery Experience Employment Hacking Exercises Community Bug Reports Increases in these factors are expected to improve likelihood of vulnerability discovery success No straightforward relationship between these factors and reported vulnerability discovery success M U S E U M H A T S P A D E

Upload: others

Post on 20-Aug-2020

8 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Hackers vs. Testers: A Comparison of Software …dvotipka/posters/Hackers...15 hackers and 10 testers recruited through bug bounty platforms, related interest groups, and hacking teams

Participants were asked to complete a cognitive task analysis of their vulnerability discovery process.

Also asked to discuss tools used, skills needed, and communities they are members of.

15 hackers and 10 testers recruited through bug bounty platforms, related interest groups, and hacking teams

Hackers vs. Testers: A Comparison of Software Vulnerability Discovery ProcessesDaniel Votipka, Rock Stevens, Elissa M. Redmiles, Jeremy Hu, and Michelle L. Mazurek

University of Maryland, Maryland Cybersecurity Center cyber.umd.edu

Research Questions

How do hackers and testers search for software vulnerabilities?

What are the differences between hackers and testers?

Populations

Testers: Bug finding generalists. Search for functionality, performance, and security bugs. The most important difference observed between

hackers and testers was the variety of experience.

Interview Study

Vulnerability Discovery Process

1. Provide a variety of training in known contexts • Security champions • Bug report-based exercises

2. Improve communication between hackers and companies • Establish single point of contact • Develop advocacy training and

resources for hackers 3. Consider alternate compensation

methods to match different motivations • Adjust payout structure as security

posture matures • Use non-monetary motivators

Recommendations

Hackers: Security specialists. Members of internal security team, contracted review, or bug bounty.

Challenges: - Timeliness - Cognitive Diversity - Communication

Discovery Lifecycle

Tester groups:

Hacker groups:

Info Gathering

Program Understanding

Attack Surface

Exploration

Vulnerability Recognition

Reporting

Vulnerability Discovery

Experience

Access to Development

Process

Underlying System Knowledge

Motivation

Key Difference

Vulnerability Discovery

Experience

Employment

Hacking Exercises

Community

Bug Reports

Increases in these factors are expected to improve likelihood of vulnerability discovery success

No straightforward relationship between these factors and reported vulnerability discovery success

MUSEUMHATSPAD

E