Write a Blog >>
ASE 2020
Mon 21 - Fri 25 September 2020 Melbourne, Australia
Mon 21 Sep 2020 03:14 - 03:26 at Kangaroo - Session 1 Paper Presentation

Malicious users can exploit undiscovered software vulnerabilities i.e., undiscovered weaknesses in software, to cause serious consequences, such as large-scale data breaches. A systematic approach that synthesizes strategies used by security testers can aid practitioners to identify latent vulnerabilities. The goal of this paper is to help practitioners identify software vulnerabilities by categorizing vulnerability discovery strategies using open source software bug reports. We categorize vulnerability discovery strategies by applying qualitative analysis on 312 OSS bug reports. Next, we quantify the frequency and evolution of the identified strategies by analyzing 1,632 OSS bug reports collected from five software projects spanning across 2009 to 2019. The five software projects are Chrome, Eclipse, Mozilla, OpenStack, and PHP.

We identify four vulnerability discovery strategies: diagnostics, malicious payload construction, misconfiguration, and pernicious execution. For Eclipse and OpenStack, the most frequently used strategy is diagnostics, where security testers inspect source code and build/debug logs. For three web-related software projects namely, Chrome, Mozilla, and PHP, the most frequently occurring strategy is malicious payload construction i.e., creating malicious files, such as malicious certificates and malicious videos.

Mon 21 Sep
Times are displayed in time zone: (UTC) Coordinated Universal Time

02:50 - 03:50: Session 1 Paper Presentation[Workshop] HCSE&CS at Kangaroo
02:50 - 03:02
A Risk Homeostasis Perspective on Zimbabwean Protective Point-of-Sale Transaction BehavioursWorkshop
[Workshop] HCSE&CS
Alfred MusarurwaAbertay University, Karen RenaudAbertay University, Tim ShuermannTU Darmstadt
03:02 - 03:14
Designing a Serious Game: Teaching Developers to Embed Privacy into Software SystemsWorkshop
[Workshop] HCSE&CS
Nalin Asanka Gamagedara ArachchilageLa Trobe University, Australia, Mumtaz AbdulhameedTechnovation Consulting & Training PVT
03:14 - 03:26
Vulnerability Discovery Strategies Used in Software ProjectsWorkshop
[Workshop] HCSE&CS
Farzana Ahamed BhuiyanTennessee Tech University, Akond RahmanTennessee Tech University, Patrick MorrisonIBM
03:26 - 03:38
An Informed Consent Model for Handling the Privacy Paradox in Smart BuildingsWorkshop
[Workshop] HCSE&CS
Chehara PathmabanduMonash University, Mohan Baruwal ChhetriData61 CSIRO Australia, John GrundyMonash University, Australia, A: Zubair BaigDeakin University
03:38 - 03:50
Characterizing Co-located Insecure Coding Patterns in Infrastructure as Code ScriptsWorkshop
[Workshop] HCSE&CS
Farzana Ahamed BhuiyanTennessee Tech University, Akond RahmanTennessee Tech University