Presented as part of the 2019 HCSS conference.
ABSTRACT
Vulnerability discovery is a critical component in an organization’s software development life-cycle. Traditional approaches to vulnerability research are time consuming and require a dizzying array of knowledge and skills to be effective. Recent advances in autonomous software exploration, such as fuzzing, have proven effective at finding software flaws, but bug-finders frequently underutilize these techniques. While the human mind remains the most powerful tool in this domain and traditional approaches remain crucial, teams demand new processes that leverage a wider array of skill sets as well as automation in order to tackle today’s challenges.
We present a successful attempt to compose a moderately sized team of fifteen members with significantly different skills in security testing while leveraging automation to the greatest extent possible. Our goal is a workflow that: is effective at finding bugs, has a clear plan for the growth and mentorship of members, efficiently uses all team members, and supports measurable, incremental progress. We derive an assembly line process that improves on what was once an intricate, manually driven search.
We expand on previous literature by modifying a well-known vulnerability research process by including a step in the fuzzing life cycle that researchers often overlook: targeting. In addition, we present a role that allows new researchers to contribute substantially to the vulnerability research effort. And finally, we detail mentorship and team knowledge management. Our process optimizes the use of human resources at all skill levels. In addition, it enables the use of automation early and frequently, helping to ensure we use time-consuming human research only when necessary.