Hackers vs. Testers: A Comparison of Software …dvotipka/posters/Hackers...15 hackers and 10...

Preview:

Click to see full reader

Citation preview

Participants were asked to complete a cognitive task analysis of their vulnerability discovery process.

Also asked to discuss tools used, skills needed, and communities they are members of.

15 hackers and 10 testers recruited through bug bounty platforms, related interest groups, and hacking teams

Hackers vs. Testers: A Comparison of Software Vulnerability Discovery ProcessesDaniel Votipka, Rock Stevens, Elissa M. Redmiles, Jeremy Hu, and Michelle L. Mazurek

University of Maryland, Maryland Cybersecurity Center cyber.umd.edu

Research Questions

How do hackers and testers search for software vulnerabilities?

What are the differences between hackers and testers?

Populations

Testers: Bug finding generalists. Search for functionality, performance, and security bugs. The most important difference observed between

hackers and testers was the variety of experience.

Interview Study

Vulnerability Discovery Process

1. Provide a variety of training in known contexts • Security champions • Bug report-based exercises

2. Improve communication between hackers and companies • Establish single point of contact • Develop advocacy training and

resources for hackers 3. Consider alternate compensation

methods to match different motivations • Adjust payout structure as security

posture matures • Use non-monetary motivators

Recommendations

Hackers: Security specialists. Members of internal security team, contracted review, or bug bounty.

Challenges: - Timeliness - Cognitive Diversity - Communication

Discovery Lifecycle

Tester groups:

Hacker groups:

Info Gathering

Program Understanding

Attack Surface

Exploration

Vulnerability Recognition

Reporting

Vulnerability Discovery

Experience

Access to Development

Process

Underlying System Knowledge

Motivation

Key Difference

Vulnerability Discovery

Experience

Employment

Hacking Exercises

Community

Bug Reports

Increases in these factors are expected to improve likelihood of vulnerability discovery success

No straightforward relationship between these factors and reported vulnerability discovery success

MUSEUMHATSPAD

E

Recommended

hackers informaticos
Technology
Fluke Corportation Catalogue - PAT Portable Appliance Testers, Clamp Meters, Multimeters, Installation Testers, Insulation Testers, Laser Distance Meters, Vibration Testers
Technology
Critical Thinking for Testers - DevelopSense: Testers … · Critical Thinking for Testers ... The act of managing assumptions can make them less critical. Critical Thinking for Testers
Documents
Reference Hackers
Education
Printed testers
Documents
Hackers 22
Technology
Hackers to Hackers Conference 4th. Ed. - Events
Documents
BM EMISSION TESTERS - BM Test Equipmentbmtest.dk/.../09/Brochure-Emission-testers-EN-web.pdf · BM EMISSION TESTERS BM Emission Testers. The BM3201 range includes changing automobile
Documents
Hackers Basic
Documents
Modern Hackers
Documents
hackers 2 hackers conference III · hackers 2 hackers conference III voip (in)security integrity attacks *caller-id spoofing *problem: easily spoofable/ not always checked / systems
Documents
05-Daniel Votipka-Hackers vs Testers A Comparison of ...dvotipka/slides/05-DanielVotipka-Hac… · • Hacker/company communication dvotipka@cs.umd.edu vulnstudy.cs.umd.edu Questions:
Documents
Testers Update
Documents
ELECTRIC AL SAFETY TESTERS · 2017-04-07 · ELECTRIC AL SAFETY TESTERS Hipot and Insulation Resistance Testers Hipot Testers Insulation Resistance Testers Ground Bond Testers Leakage
Documents
Professional Hackers
Technology
Tracking Hackers
Documents
Ethereum hackers
Documents
Critical Thinking for Testers (present) - DevelopSense Bolton, DevelopSense Critical Thinking for Testers @esconfs #esconfs Critical Thinking for Testers
Documents
Hackers & hacktivism
Technology
Hacks & hackers
Technology