Daniel Votipka

Identifying software vulnerabilities is a critical task that requires significant human effort. It is often the responsibility of software testers before release and white-hat hackers afterward. This arrangement can be ad-hoc and far from ideal. This talk discusses a first step toward understanding, and improving, this ecosystem through interviews with 25 testers and hackers, focusing on how each group finds vulnerabilities, how they develop their skills, and the challenges they face. The results suggest that hackers and testers use similar processes, but get different results due mostly to differing breadth in experiences. From these results, we provide recommendations to support improved security training, better communication with hackers, and smarter bug bounty policies.

Social Profiles

All Sessions by Daniel Votipka

Management Track / Academy Talks
11:35

Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes

11:35 - 12:05

Identifying software vulnerabilities is a critical task that requires significant human effort. It is often the responsibility of software testers before release and white-hat hackers afterward. This arrangement can be ad-hoc and far from ideal. This talk discusses a first step toward understanding, and improving, this ecosystem through interviews with 25 testers and hackers, focusing on how each group finds vulnerabilities, how they develop their skills, and the challenges they face. The results suggest that hackers and testers use similar processes, but get different results due mostly to differing breadth in experiences. From these results, we provide recommendations to support improved security training, better communication with hackers, and smarter bug bounty policies.

Daniel Votipka

Social Profiles

All Sessions by Daniel Votipka

Management Track / Academy Talks

Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes

Share