Identifying software vulnerabilities is a critical task that requires significant human effort. It is often the responsibility of software testers before release and white-hat hackers afterward. This arrangement can be ad-hoc and far from ideal. This talk discusses a first step toward understanding, and improving, this ecosystem through interviews with 25 testers and hackers, focusing on how each group finds vulnerabilities, how they develop their skills, and the challenges they face. The results suggest that hackers and testers use similar processes but get different results due mostly to differing breadth in experiences. From these results, we provide recommendations to support improved security training, better communication with hackers, and smarter bug bounty policies.
Read more …