Daniel Votipka (Tufts University)- Vulnerability Discovery for All: A Human-Centric Approach to Software Vulnerability Discovery
Abstract: Software vulnerabilities persist as an important and costly challenge. Significant effort has been exerted toward automatic vulnerability discovery, but human intelligence generally remains required and will remain necessary for the foreseeable future. Unfortunately, the pool of experts qualified to perform vulnerability discovery is small and homogeneous, leading to negative outcomes such as labor shortages and a lack of perspective diversity. In this talk, I will present the results of multiple studies investigating the humans at the center of vulnerability discovery. I will discuss the technical (e.g., the processes they follow to find vulnerabilities), along with the social (e.g., how they interact with others and navigate the bug bounty landscape) aspects of their work. Building on this work, I will discuss interventions in tool development and education to make vulnerability discovery more approachable and inclusive.
Speakers
Daniel Votipka
Daniel Votipka is the Lin Family Assistant Professor in the Department of Computer Science at Tufts University. He received his PhD in Computer Science from the University of Maryland. His work focuses on understanding the processes and mental models of professionals who perform security-related tasks such as secure development, vulnerability discovery, network defense, and malware analysis to make security work more accessible and inclusive through improvements in automation, education, and policy. His work has been recognized with multiple best paper awards at top security and HCI venues and his work has been funded by the NSF, Google, Cisco, and MedCrypt. Previously, he served in the US Air Force as a Cyber Warfare Officer working in the National Security Agency.