Software security bugs--referred to as vulnerabilities--persist as an important and costly challenge. Significant effort has been exerted toward automatic discovery of vulnerabilities, but current approaches remain fairly limited. Human intelligence is generally required and will remain necessary for the foreseeable future. Therefore, many companies have turned to internal and external security experts (e.g., penetration testing, bug bounties) to manually analyze their code for vulnerabilities. Unfortunately, there are a limited number of qualified security experts, meaning that they may not have time to thoroughly review the entire codebase. Further, external experts are typically only utilized late in the development process when fixing vulnerabilities becomes harder and more expensive. This situation suggests that it is important to better arm developers with the ability to find and fix vulnerabilities. Additionally, because it is likely infeasible to make all developers security experts--a level of experience that takes significant time and effort to achieve--it is also necessary to equip experts to more efficiently carry out their task. In this thesis, we propose a human-centric investigation of vulnerability discovery. We will study the types of vulnerabilities most commonly introduced by developers and the differences between experts', and non-experts', vulnerability discovery processes. Based on our findings, we will identify and evaluate more effective methods for training developers and guidelines for improved vulnerability-discovery-tool interactions.
 

Examining Committee: 

 

                          Chair:               Dr. Michelle Mazurek
                          Dept rep:          Dr. Michael Hicks
                          Members:        Dr. Jeffrey S. Foster