Finding security vulnerabilities in software is a critical task for any organization which still requires human effort even though automation has made significant strides in recent years. The task of vulnerability discovery typically falls on traditional software testers within an organization and white-hat hackers either through bug bounty programs or contracting. This talk explores the experiences, skills, processes, motivations, and metal models of these two communities. We describe our ongoing, semi-structured interview study which focuses on how these groups find bugs, how they have developed the necessary skills, and the challenges they face and give some preliminary findings.
Daniel Votipka is a PhD student in the CS Department at the University of Maryland, College Park. Daniel received his MS in Information Security, Technology, and Management from Carnegie Mellon University and his BS in Computer Science from the Illinois Institute of Technology. Daniel's research interests are in usable security, in particular, studying the security behaviors and mental models of those involved in the creation and use of software (i.e. developers, testers, and end-users).