A Human-Centric Approach to Software Vulnerability Discovery

Software security bugs | referred to as vulnerabilities | persist as an important and costly challenge. Significant effort has been exerted toward automatic vulnerability discovery, but human intelligence generally remains required and will remain necessary for the foreseeable future. Therefore, many companies have turned to internal and external (e.g., penetration testing, bug bounties) security experts to manually analyze their code for vulnerabilities. Unfortunately, there are a limited number of qualified experts. Therefore, to improve software security, we must understand how experts search for vulnerabilities and how their processes could be made more efficient, by improving tool usability and targeting the most common vulnerabilities. Additionally, we seek to understand how to improve training to increase the number of experts. To answer these questions, I begin with an in-depth qualitative analysis of secure development competition submissions to identify common vulnerabilities developers introduce. I found developers struggle to understand and implement complex security concepts, not recognizing how nuanced development decisions could lead to vulnerabilities. Next, using a cognitive task analysis to investigate experts' and non-experts' vulnerability discovery processes, I observed they use the same process, but dier in the variety of security experiences which inform their searches. Together, these results suggest exposure to an in-depth understanding of potential vulnerabilities as essential for vulnerability discovery. As a first step to leverage both experts and non-experts, I pursued two lines of work: education to support experience development and vulnerability discovery automation interaction improvements. To improve vulnerability discovery tool interaction, I conducted observational interviews of experts' reverse engineering process, an essential and time-consuming component of vulnerability discovery. From this, I provide guidelines for more usable interaction design. For security education, I began with a pedagogical review of security exercises to identify their current strengths and weaknesses. I also developed a psychometric measure for secure software development self-efficacy to support comparisons between educational interventions

Conceptual evidence collection and analysis methodology for Android devices

Android devices continue to grow in popularity and capability meaning the need for a forensically sound evidence collection methodology for these devices also increases. This chapter proposes a methodology for evidence collection and analysis for Android devices that is, as far as practical, device agnostic. Android devices may contain a significant amount of evidential data that could be essential to a forensic practitioner in their investigations. However, the retrieval of this data requires that the practitioner understand and utilize techniques to analyze information collected from the device. The major contribution of this research is an in-depth evidence collection and analysis methodology for forensic practitioners.Comment: in Cloud Security Ecosystem (Syngress, an Imprint of Elsevier), 201

Where to Recruit for Security Development Studies: Comparing Six Software Developer Samples

Studying developers is an important aspect of usable security and privacy research. In particular, studying security development challenges such as the usability of security APIs, the secure use of information sources during development or the effectiveness of IDE security plugins raised interest in recent years. However, recruiting skilled participants with software development experience is particularly challenging, and it is often not clear what security researchers can expect from certain participant samples, which can make research results hard to compare and interpret. Hence, in this work, we study for the first time opportunities and challenges of different platforms to recruit participants with software development experience for security development studies. First, we identify popular recruitment platforms in 59 papers. Then, we conduct a comparative online study with 706 participants based on self-reported software development experience across six recruitment platforms. Using an online questionnaire, we investigate participants’ programming and security experiences, skills and knowledge. We find that participants across all samples report rich general software development and security experience, skills, and knowledge. Based on our results, we recommend developer recruitment from Upwork for practical coding studies and Amazon MTurk along with a pre-screening survey to reduce additional noise for larger studies. Both of these, along with Freelancer, are also recommended for security studies. We conclude the paper by discussing the impact of our results on future security development studies

Potpuna oksidacija etanola na kalciniranim slojevitim dvostrukim hidroksidima modificiranim organskim polimerom

Coprecipitation of Co, Mn, and Al nitrates by a solution of Na2CO3 and NaOH in the presence of Pluronic ® P123 has led to layered double hydroxide (LDH) precursors with hydrotalcite-like structure. Their calcination gave spinel-type mixed oxides; the presence of organic template increased both BET and mesopore surface areas of the calcined products. TPR profiles of the samples modified with Pluronic ® P123 exhibited a shift of reduction maxima to lower temperatures, similarly as increasing sodium content in the catalysts. However, though the physical-chemical properties of Co-Mn-Al mixed oxides and their catalytic activity in ethanol oxidation were slightly improved, the changes evolved by the presence of Pluronic ® P123 during precipitation of LDH precursors were rather small.Koprecipitacijom nitrata kobalta, mangana i aluminija izazvanom otopinama Na2CO3 i NaOH u prisutnosti polimera Pluronic®P123 nastaju slojeviti dvostruki hidroksidi (LDH) strukture hidro-talcita koji kalciniranjem prelaze u trostruke okside tipa spinela. Organski predložak povećava specifičnu površinu i površinu mezopora kalciniranog produkta. Uz polimer su maksimumi redukcije pomaknuti nižim temperaturama, a jednako utječe povećanje količine natrija u katalizatoru. Međutim, iako su fizikalno-kemijska svojstva trostrukih Co-Mn-Al-oksida i njihova katalitička aktivnost u oksidaciji etanola bila poboljšana, promjene uslijed prisutnosti polimera tijekom taloženja LDH-prekursora su prilično male