The Community for Technology Leaders
2018 IEEE Symposium on Security and Privacy (SP) (2018)
San Fransisco, CA, US
May 21, 2018 to May 23, 2018
ISSN: 2375-1207
ISBN: 978-1-5386-4353-2
pp: 134-151
Daniel Votipka , University of Maryland
Rock Stevens , University of Maryland
Elissa Redmiles , University of Maryland
Jeremy Hu , University of Maryland
Michelle Mazurek , University of Maryland
ABSTRACT
Identifying security vulnerabilities in software is a critical task that requires significant human effort. Currently, vulnerability discovery is often the responsibility of software testers before release and white-hat hackers (often within bug bounty programs) afterward. This arrangement can be ad-hoc and far from ideal; for example, if testers could identify more vulnerabilities, software would be more secure at release time. Thus far, however, the processes used by each group - and how they compare to and interact with each other - have not been well studied. This paper takes a first step toward better understanding, and eventually improving, this ecosystem: we report on a semi-structured interview study (n=25) with both testers and hackers, focusing on how each group finds vulnerabilities, how they develop their skills, and the challenges they face. The results suggest that hackers and testers follow similar processes, but get different results due largely to differing experiences and therefore different underlying knowledge of security concepts. Based on these results, we provide recommendations to support improved security training for testers, better communication between hackers and developers, and smarter bug bounty policies to motivate hacker participation.
INDEX TERMS
interview-study, software-vulnerabilities, vulnerability-discovery, software-testing, usable-security, security-workers
CITATION

D. Votipka, R. Stevens, E. Redmiles, J. Hu and M. Mazurek, "Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes," 2018 IEEE Symposium on Security and Privacy (SP), San Fransisco, CA, US, , pp. 134-151.
doi:10.1109/SP.2018.00003
(Ver 3.3 (11022016))