| Title | Practitioner Perception of Vulnerability Discovery Strategies |
| Publication Type | Conference Paper |
| Year of Publication | 2021 |
| Authors | Bhuiyan, Farzana Ahamed, Murphy, Justin, Morrison, Patrick, Rahman, Akond |
| Conference Name | 2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) |
| Keywords | Automated Secure Software Engineering, bug report, composability, Computer bugs, computer security, Conferences, Industries, Open Source Software, perception, pubcrawl, resilience, Resiliency, Software, strategy, survey, Task Analysis, Vulnerability |
| Abstract | The fourth industrial revolution envisions industry manufacturing systems to be software driven where mundane manufacturing tasks can be automated. As software is perceived as an integral part of this vision, discovering vulnerabilities is of paramount of importance so that manufacturing systems are secure. A categorization of vulnerability discovery strategies can inform practitioners on how to identify undiscovered vulnerabilities in software. Recently researchers have investigated and identified vulnerability discovery strategies used in open source software (OSS) projects. The efficacy of the derived strategy needs to be validated by obtaining feedback from practitioners. Such feedback can be helpful to assess if identified strategies are useful for practitioners and possible directions the derived vulnerability discovery strategies can be improvised. We survey 51 practitioners to assess if four vulnerability discovery strategies: diagnostics, malicious payload construction, misconfiguration, and pernicious execution can be used to identify undiscovered vulnerabilities. Practitioners perceive the strategies to be useful: for example, we observe 88% of the surveyed practitioners to agree that diagnostics could be used to discover vulnerabilities. Our work provides evidence of usefulness for the identified strategies. |
| DOI | 10.1109/EnCyCriS52570.2021.00014 |
| Citation Key | bhuiyan_practitioner_2021 |
Practitioner Perception of Vulnerability Discovery Strategies