Write a Blog >>
ASE 2020
Mon 21 - Fri 25 September 2020 Melbourne, Australia
Mon 21 Sep 2020 03:14 - 03:26 at Kangaroo - Session 1 Paper Presentation

Malicious users can exploit undiscovered software vulnerabilities i.e., undiscovered weaknesses in software, to cause serious consequences, such as large-scale data breaches. A systematic approach that synthesizes strategies used by security testers can aid practitioners to identify latent vulnerabilities. The goal of this paper is to help practitioners identify software vulnerabilities by categorizing vulnerability discovery strategies using open source software bug reports. We categorize vulnerability discovery strategies by applying qualitative analysis on 312 OSS bug reports. Next, we quantify the frequency and evolution of the identified strategies by analyzing 1,632 OSS bug reports collected from five software projects spanning across 2009 to 2019. The five software projects are Chrome, Eclipse, Mozilla, OpenStack, and PHP.

We identify four vulnerability discovery strategies: diagnostics, malicious payload construction, misconfiguration, and pernicious execution. For Eclipse and OpenStack, the most frequently used strategy is diagnostics, where security testers inspect source code and build/debug logs. For three web-related software projects namely, Chrome, Mozilla, and PHP, the most frequently occurring strategy is malicious payload construction i.e., creating malicious files, such as malicious certificates and malicious videos.

Mon 21 Sep

Displayed time zone: (UTC) Coordinated Universal Time change

02:50 - 03:50
Session 1 Paper Presentation[Workshop] HCSE&CS at Kangaroo
02:50
12m
Talk
A Risk Homeostasis Perspective on Zimbabwean Protective Point-of-Sale Transaction BehavioursWorkshop
[Workshop] HCSE&CS
Alfred Musarurwa Abertay University, Karen Renaud Abertay University, Tim Shuermann TU Darmstadt
03:02
12m
Talk
Designing a Serious Game: Teaching Developers to Embed Privacy into Software SystemsWorkshop
[Workshop] HCSE&CS
Nalin Asanka Gamagedara Arachchilage La Trobe University, Australia, Mumtaz Abdulhameed Technovation Consulting & Training PVT
03:14
12m
Talk
Vulnerability Discovery Strategies Used in Software ProjectsWorkshop
[Workshop] HCSE&CS
Farzana Ahamed Bhuiyan Tennessee Tech University, Akond Rahman Tennessee Tech University, Patrick Morrison IBM
03:26
12m
Talk
An Informed Consent Model for Handling the Privacy Paradox in Smart BuildingsWorkshop
[Workshop] HCSE&CS
Chehara Pathmabandu Monash University, Mohan Baruwal Chhetri Data61 CSIRO Australia, John Grundy Monash University, A: Zubair Baig Deakin University
03:38
12m
Talk
Characterizing Co-located Insecure Coding Patterns in Infrastructure as Code ScriptsWorkshop
[Workshop] HCSE&CS
Farzana Ahamed Bhuiyan Tennessee Tech University, Akond Rahman Tennessee Tech University