Software Security Professionals: Expertise Indicators

Al-Banna, Mortada; Benatallah, Boualem; Barukh, Moshe Chai

doi:10.1109/cic.2016.030

Cited by 5 publications

(4 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An earlier study by Al-Banna et al (2016) used 66 survey responses and 32 interviews to understand how the expertise of a hacker is indicated to other hackers and security professionals. The authors highlight the value to an organisation that can be found through the invitation of hackers to private programmes, such as those hosted on third-party platforms (e.g.…”

Section: Related Workmentioning

confidence: 99%

Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations

Walshe

Simpson²

2022

Computers & Security

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 99%

Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations

Walshe

Simpson²

2022

Computers & Security

View full text Add to dashboard Cite

“…Al-Banna et al focus on external security professionals, asking both professionals and those who hire them which indicators they believed were the most important to discern security expertise [37]. Similarly, Cowley interviewed 10 malware reverse engineering professionals to understand the necessary skills and define levels of professional development [38].…”

Section: B Tester and Hacker Characteristicsmentioning

confidence: 99%

Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes

Votipka

Stevens

Redmiles

et al. 2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Identifying security vulnerabilities in software is a critical task that requires significant human effort. Currently, vulnerability discovery is often the responsibility of software testers before release and white-hat hackers (often within bug bounty programs) afterward. This arrangement can be ad-hoc and far from ideal; for example, if testers could identify more vulnerabilities, software would be more secure at release time. Thus far, however, the processes used by each group -and how they compare to and interact with each other -have not been well studied. This paper takes a first step toward better understanding, and eventually improving, this ecosystem: we report on a semi-structured interview study (n=25) with both testers and hackers, focusing on how each group finds vulnerabilities, how they develop their skills, and the challenges they face. The results suggest that hackers and testers follow similar processes, but get different results due largely to differing experiences and therefore different underlying knowledge of security concepts. Based on these results, we provide recommendations to support improved security training for testers, better communication between hackers and developers, and smarter bug bounty policies to motivate hacker participation.1 The way people think and the perspectives and previous experiences they bring to bear on a problem [24, pg. 40-65].

show abstract

“…In a crowdsourced vulnerability discovery program, software providers submit vulnerability discovery tasks to a community of VDPros. This approach is gaining increasing popularity recently 1 . Crowdsourcing vulnerability discovery could be in the form of an open call and managed directly by an organization (e.g., Facebook VRP, and Google VRP), or directed toward members of specialized platform for crowdsourcing vulnerability discovery (e.g., Bugcrowd, Cobalt, HackerOne, or Synack).…”

Section: Crowdsourcing Vulnerability Discoverymentioning

confidence: 99%

“…Similarly, competitions have been conducted for discovering vulnerabilities (e.g., Pwn2Own). This paper is an extension of work originally presented in IEEE 2nd International Conference on Collaboration and Internet Computing (CIC) [1].…”

Section: Introductionmentioning

confidence: 99%