The Industrial Age of Hacking
Timothy Nosco, United States Army; Jared Ziegler, National Security Agency; Zechariah Clark and Davy Marrero, United States Navy; Todd Finkler, United States Air Force; Andrew Barbarello, United States Navy; W. Michael Petullo, United States Army
There is a cognitive bias in the hacker community to select a piece of software and invest significant human resources into finding bugs in that software without any prior indication of success. We label this strategy depth-first search and propose an alternative: breadth-first search. In breadth-first search, humans perform minimal work to enable automated analysis on a range of targets before committing additional time and effort to research any particular one.
We present a repeatable human study that leverages teams of varying skill while using automation to the greatest extent possible. Our goal is a process that is effective at finding bugs; has a clear plan for the growth, coaching, and efficient use of team members; and supports measurable, incremental progress. We derive an assembly-line process that improves on what was once intricate, manual work. Our work provides evidence that the breadth-first approach increases the effectiveness of teams.
View the full USENIX Security '20 program at https://www.usenix.org/conference/usenixsecurity20/technical-sessions