Timothy Nosco, United States Army; Jared Ziegler, National Security Agency; Zechariah Clark and Davy Marrero, United States Navy; Todd Finkler, United States Air Force; Andrew Barbarello, United States Navy; W. Michael Petullo, United States Army
There is a cognitive bias in the hacker community to select a piece of software and invest significant human resources into finding bugs in that software without any prior indication of success. We label this strategy depth-first search and propose an alternative: breadth-first search. In breadth-first search, humans perform minimal work to enable automated analysis on a range of targets before committing additional time and effort to research any particular one.
We present a repeatable human study that leverages teams of varying skill while using automation to the greatest extent possible. Our goal is a process that is effective at finding bugs; has a clear plan for the growth, coaching,and efficient use of team members; and supports measurable, incremental progress. We derive an assembly-line process that improves on what was once intricate, manual work. Our work provides evidence that the breadth-first approach increases the effectiveness of teams.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Timothy Nosco and Jared Ziegler and Zechariah Clark and Davy Marrero and Todd Finkler and Andrew Barbarello and W. Michael Petullo},
title = {The Industrial Age of Hacking},
booktitle = {29th USENIX Security Symposium (USENIX Security 20)},
year = {2020},
isbn = {978-1-939133-17-5},
pages = {1129--1146},
url = {https://www.usenix.org/conference/usenixsecurity20/presentation/nosco},
publisher = {USENIX Association},
month = aug
}