A Human-Centric Approach to Software Vulnerability Discovery

dc.contributor.advisorMazurek, Michelle Len_US
dc.contributor.authorVotipka, Daniel Jareden_US
dc.contributor.departmentComputer Scienceen_US
dc.contributor.publisherDigital Repository at the University of Marylanden_US
dc.contributor.publisherUniversity of Maryland (College Park, Md.)en_US
dc.date.accessioned2021-02-14T06:37:56Z
dc.date.available2021-02-14T06:37:56Z
dc.date.issued2020en_US
dc.description.abstractSoftware security bugs | referred to as vulnerabilities | persist as an important and costly challenge. Significant effort has been exerted toward automatic vulnerability discovery, but human intelligence generally remains required and will remain necessary for the foreseeable future. Therefore, many companies have turned to internal and external (e.g., penetration testing, bug bounties) security experts to manually analyze their code for vulnerabilities. Unfortunately, there are a limited number of qualified experts. Therefore, to improve software security, we must understand how experts search for vulnerabilities and how their processes could be made more efficient, by improving tool usability and targeting the most common vulnerabilities. Additionally, we seek to understand how to improve training to increase the number of experts. To answer these questions, I begin with an in-depth qualitative analysis of secure development competition submissions to identify common vulnerabilities developers introduce. I found developers struggle to understand and implement complex security concepts, not recognizing how nuanced development decisions could lead to vulnerabilities. Next, using a cognitive task analysis to investigate experts' and non-experts' vulnerability discovery processes, I observed they use the same process, but dier in the variety of security experiences which inform their searches. Together, these results suggest exposure to an in-depth understanding of potential vulnerabilities as essential for vulnerability discovery. As a first step to leverage both experts and non-experts, I pursued two lines of work: education to support experience development and vulnerability discovery automation interaction improvements. To improve vulnerability discovery tool interaction, I conducted observational interviews of experts' reverse engineering process, an essential and time-consuming component of vulnerability discovery. From this, I provide guidelines for more usable interaction design. For security education, I began with a pedagogical review of security exercises to identify their current strengths and weaknesses. I also developed a psychometric measure for secure software development self-efficacy to support comparisons between educational interventions.en_US
dc.identifierhttps://doi.org/10.13016/crjv-jv5k
dc.identifier.urihttp://hdl.handle.net/1903/26834
dc.language.isoenen_US
dc.subject.pqcontrolledComputer scienceen_US
dc.subject.pquncontrolledHuman computer interactionen_US
dc.subject.pquncontrolledHuman factorsen_US
dc.subject.pquncontrolledReverse engineeringen_US
dc.subject.pquncontrolledSecurityen_US
dc.subject.pquncontrolledSoftware developmenten_US
dc.subject.pquncontrolledVulnerability discoveryen_US
dc.titleA Human-Centric Approach to Software Vulnerability Discoveryen_US
dc.typeDissertationen_US

Files

Original bundle

Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
Votipka_umd_0117E_21280.pdf
Size:
1.73 MB
Format:
Adobe Portable Document Format