Blogs (1) >>
VL/HCC 2020
Tue 11 - Fri 14 August 2020 Dunedin, New Zealand
Wed 12 Aug 2020 14:45 - 15:00 at Zoom Room - Understanding and Helping Developers Chair(s): Scott Fleming

The modern software security adversary employs persistent and evasive attack techniques, for example—using zero-day exploits that have not been disclosed publicly—to target high-profile companies for political and economic espionage or to exfiltrate sensitive data or intellectual property. To combat these threats, large organizations are adopting an emerging practice of staffing full-time offensive security teams, or red teams. To understand the workflows, culture, and day-to-day practices of software security engineers in red teams, we conducted 17 interviews with informants across five red teams within Microsoft. We found that software security engineers have substantial impact in the organization as they harden security practices, drawing from their diverse backgrounds. Software security engineers are both agile yet specialized in their activities, and closely emulate malicious adversaries—subject to some reasonable constraints. Although software security engineers are in some respects software engineers, they also have several consequential differences in how they write, maintain, and distribute software. The results of this work are applicable to practitioners, researchers, and toolsmiths who wish to understand how offensive security teams operate, situate, and collaborate with partner teams in their organization.

Wed 12 Aug

Displayed time zone: Pacific Time (US & Canada) change

14:15 - 15:08
Understanding and Helping DevelopersResearch Papers at Zoom Room
Chair(s): Scott Fleming University of Memphis
14:15
15m
Talk
Using Hypotheses as a Debugging AidFull paper
Research Papers
Abdulaziz Alaboudi George Mason University, Thomas LaToza George Mason University
Authorizer link
14:30
15m
Talk
Find Unique Usages: Helping Developers Understand Common UsagesFull paper
Research Papers
Emad Aghayi , Aaron Massey George Mason University, Thomas LaToza George Mason University
Authorizer link Pre-print File Attached
14:45
15m
Talk
A Case Study of Software Security Red Teams at MicrosoftFull paper
Research Papers
Justin Smith Lafayette College, Chris Theisen Microsoft, Titus Barik Microsoft
Authorizer link
15:00
7m
Talk
Refactoring from 9 to 5? What and When Employees and Volunteers Contribute to OSSShort paper
Research Papers
Luiz Felipe Fronchetti Dias University of São Paulo, Caio Barbosa PUC-RJ, Gustavo Pinto UFPA, Igor Steinmacher Northern Arizona University, Baldoino Fonseca Federal University of Alagoas (UFAL), Márcio Ribeiro Federal University of Alagoas, Brazil, Christoph Treude The University of Adelaide, Daniel Alencar Da Costa University of Otago
Authorizer link