Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes

Identifying security vulnerabilities in software is a critical task that requires significant human effort. Currently, vulnerability discovery is often the responsibility of software testers before release and white-hat hackers (often within bug bounty programs) afterward. This arrangement can be ad-hoc and far from ideal; for example, if testers could identify more vulnerabilities, software would be more secure at release time. Thus far, however, the processes used by each group — and how they compare to and interact with each other — have not been well studied. This paper takes a first step toward better understanding, and eventually improving, this ecosystem: we report on a semi-structured interview study (n=25) with both testers and hackers, focusing on how each group finds vulnerabilities, how they develop their skills, and the challenges they face. The results suggest that hackers and testers follow similar processes, but get different results due largely to differing experiences and therefore different underlying knowledge of security concepts. Based on these results, we provide recommendations to support improved security training for testers, better communication between hackers and developers, and smarter bug bounty policies to motivate hacker participation.

[1]  Boualem Benatallah,et al.  Software Security Professionals: Expertise Indicators , 2016, 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC).

[2]  K. Charmaz,et al.  Constructing Grounded Theory: A practical guide through qualitative analysis Kathy Charmaz Constructing Grounded Theory: A practical guide through qualitative analysis Sage 224 £19.99 0761973532 0761973532 [Formula: see text]. , 2006, Nurse researcher.

[3]  Brian Alleyne,et al.  Inside the mind of a hacker - FT World - World & Global Economy Video - FT.com , 2016 .

[4]  Antonia Bertolino,et al.  Software Testing Research: Achievements, Challenges, Dreams , 2007, Future of Software Engineering (FOSE '07).

[5]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[6]  Michael Backes,et al.  You Get Where You're Looking for: The Impact of Information Sources on Code Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[7]  Laurie A. Williams,et al.  One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques , 2011, 2011 International Symposium on Empirical Software Engineering and Measurement.

[8]  Matthew Smith,et al.  Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study , 2017, CCS.

[9]  Robert K. Cunningham,et al.  The Real Cost of Software Errors , 2009, IEEE Security & Privacy.

[10]  Sam Ransbotham,et al.  Are Markets for Vulnerabilities Effective? , 2012, MIS Q..

[11]  Konstantin Beznosov,et al.  Towards understanding IT security professionals and their tools , 2007, SOUPS '07.

[12]  Heather Richter Lipford,et al.  A Proposed Visualization for Vulnerability Scan Data , 2017, SOUPS.

[13]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[14]  Lucas Layman,et al.  Toward Reducing Fault Fix Time: Understanding Developer Behavior for the Design of Automated Fault Detection Tools , 2007, ESEM 2007.

[15]  Michael Siegel,et al.  Poster: Diversity or Concentration? Hackers’ Strategy for Working Across Multiple Bug Bounty Programs , 2016 .

[16]  Harry Halpin,et al.  Can Johnny build a protocol? Co-ordinating developer and user intentions for privacy-enhanced secure messaging protocols , 2017 .

[17]  Laura Johnson,et al.  How Many Interviews Are Enough? , 2006 .

[18]  David Hovemeyer,et al.  Finding more null pointer bugs, but not too many , 2007, PASTE '07.

[19]  Matthew Green,et al.  Developers are Not the Enemy!: The Need for Usable Security APIs , 2016, IEEE Security & Privacy.

[20]  Lars Lundberg,et al.  Improving software security with static automated code analysis in an industry setting , 2013, Softw. Pract. Exp..

[21]  Melanie C. Green,et al.  Telephone versus Face-to-Face Interviewing of National Probability Samples with Long Questionnaires: Comparisons of Respondent Satisficing and Social Desirability Response Bias , 2003 .

[22]  Luigi Lo Iacono,et al.  I Do and I Understand. Not Yet True for Security APIs. So Sad , 2017 .

[23]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[24]  Ming Fang,et al.  Game of detections: how are security vulnerabilities discovered in the wild? , 2015, Empirical Software Engineering.

[25]  Andrew M'manga,et al.  Folk Risk Analysis: Factors Influencing Security Analysts' Interpretation of Risk , 2017, SOUPS.

[26]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[27]  Gregory Tassey,et al.  Prepared for what , 2007 .

[28]  K. Krippendorff Reliability in Content Analysis: Some Common Misconceptions and Recommendations , 2004 .

[29]  Kimberly A. Neuendorf,et al.  Reliability for Content Analysis , 2010 .

[30]  Jeffrey S. Foster,et al.  A comparison of bug finding tools for Java , 2004, 15th International Symposium on Software Reliability Engineering.

[31]  John McHugh,et al.  A Human Capital Model for Mitigating Security Analyst Burnout , 2015, SOUPS.

[32]  John McHugh,et al.  Turning Contradictions into Innovations or: How We Learned to Stop Whining and Improve Security Operations , 2016, SOUPS.

[33]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[34]  John Annett Hierarchical Task Analysis , 2003 .

[35]  M. Lombard,et al.  Content Analysis in Mass Communication: Assessment and Reporting of Intercoder Reliability , 2002 .

[36]  Meir M. Lehman Programs, life cycles, and laws of software evolution , 1980 .

[37]  James Noble,et al.  I'd Like to Have an Argument, Please:Using Dialectic for Effective App Security , 2017 .

[38]  Kat Krol,et al.  Productive Security: A Scalable Methodology for Analysing Employee Security Behaviours , 2016, SOUPS.

[39]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[40]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[41]  Laurie A. Williams,et al.  Surveying Security Practice Adherence in Software Development , 2017, HotSoS.

[42]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[43]  Margaret C. Harrell,et al.  Data Collection Methods: Semi-Structured Interviews and Focus Groups , 2009 .

[44]  Yanyan Zhuang,et al.  It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots , 2014, ACSAC.

[45]  Peng Liu,et al.  An Empirical Study of Web Vulnerability Discovery Ecosystems , 2015, CCS.

[46]  Tony Lingham,et al.  How Hackers Think: A Study of Cybersecurity Experts and Their Mental Models , 2013 .

[47]  Anselm L. Strauss,et al.  Basics of qualitative research : techniques and procedures for developing grounded theory , 1998 .

[48]  Khaled Yakdan,et al.  Helping Johnny to Analyze Malware: A Usability-Optimized Decompiler and Malware Analysis User Study , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[49]  Michael Backes,et al.  How Internet Resources Might Be Helping You Develop Faster but Less Securely , 2017, IEEE Security & Privacy.

[50]  Yashwant K. Malaiya,et al.  Software Vulnerability Markets: Discoverers and Buyers , 2014 .

[51]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[52]  William Pugh,et al.  A report on a survey and study of static analysis users , 2008, DEFECTS '08.

[53]  Jorge L. Díaz-Herrera,et al.  Improving software practice through education: Challenges and future trends , 2007, Future of Software Engineering (FOSE '07).

[54]  Jens Grossklags,et al.  Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs , 2016, J. Cybersecur..

[55]  Deen Freelon ReCal: Intercoder Reliability Calculation as a Web Service , 2010 .

[56]  Marco Vieira,et al.  Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services , 2009, 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing.

[57]  Linda Little,et al.  Unpacking Security Policy Compliance: The Motivators and Barriers of Employees' Security Behaviors , 2015, SOUPS.

[58]  Emerson R. Murphy-Hill,et al.  Questions developers ask while diagnosing potential security vulnerabilities with static analysis , 2015, ESEC/SIGSOFT FSE.

[59]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[60]  Michael J. Hannafin,et al.  Scaffolding problem solving in technology-enhanced learning environments (TELEs): Bridging research and theory with practice , 2011, Comput. Educ..

[61]  Simson L. Garfinkel,et al.  Comparing the Usability of Cryptographic APIs , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[62]  Matthew Smith,et al.  Why eve and mallory (also) love webmasters: a study on the root causes of SSL misconfigurations , 2014, AsiaCCS.

[63]  Wayne G. Lutters,et al.  Skills and Characteristics of Successful Cybersecurity Advocates , 2017, SOUPS.

[64]  Kenneth. A . . Smith Americans and Cybersecurity , 2016 .

[65]  Ming Fang,et al.  Discovering buffer overflow vulnerabilities in the wild: an empirical study , 2014, ESEM '14.

[66]  Simon Parkin,et al.  Finding Security Champions in Blends of Organisational Culture , 2017 .

[67]  Kirstie Hawkey,et al.  Guidelines for designing IT security management tools , 2008, CHiMiT '08.

[68]  Aron Laszka,et al.  Crowdsourced Security Vulnerability Discovery: Modeling and Organizing Bug-Bounty Programs , 2016 .

[69]  Ciera Jaspan,et al.  Tricorder: Building a Program Analysis Ecosystem , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[70]  Christopher Krügel,et al.  Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance , 2017, CCS.

[71]  Edgar R. Weippl,et al.  "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS , 2017, USENIX Security Symposium.

[72]  David A. Wagner,et al.  An Empirical Study on the Effectiveness of Security Code Review , 2013, ESSoS.

[73]  Joseph Paul Cohen,et al.  Effectiveness of Cybersecurity Competitions , 2012 .

[74]  Walter Baziuk,et al.  BNR/NORTEL: path to improve product quality, reliability and customer satisfaction , 1995, Proceedings of Sixth International Symposium on Software Reliability Engineering. ISSRE'95.

[75]  Jennifer Cowley,et al.  Job Analysis Results for Malicious-Code Reverse Engineers: A Case Study , 2014 .

[76]  R. Tourangeau,et al.  Sensitive questions in surveys. , 2007, Psychological bulletin.

[77]  Klaus Krippendorff,et al.  Answering the Call for a Standard Reliability Measure for Coding Data , 2007 .

[78]  Emerson R. Murphy-Hill,et al.  What Questions Remain? An Examination of How Developers Understand an Interactive Static Analysis Tool , 2016, WSIW@SOUPS.

[79]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[80]  Diana L. Burley,et al.  Engaging learners in cybersecurity careers: lessons from the launch of the national cyber league , 2014, INROADS.

[81]  Nicole F. Velasquez,et al.  Work practices of system administrators: implications for tool design , 2008, CHiMiT '08.

[82]  Michael Backes,et al.  A Stitch in Time: Supporting Android Developers in WritingSecure Code , 2017, CCS.

[83]  Benjamin Livshits,et al.  Just-in-time static analysis , 2016, ISSTA.

[84]  Gina Venolia,et al.  The secret life of bugs: Going past the errors and omissions in software repositories , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[85]  Qing Hu,et al.  Why computer talents become computer hackers , 2013, CACM.

[86]  Christopher B. Mayhorn,et al.  Quantifying developers' adoption of security tools , 2015, ESEC/SIGSOFT FSE.