If you’re interested in vulnerability research for fun or profit, or if you’re a beginner and you’re not sure how to progress, it can be difficult to sift through the firehose of technical information that’s out there. Plus there are all sorts of non-technical things that established researchers seem to just know. There are many different things to learn, but nobody really talks about the different paths you can take on your journey. We will provide an overview of key concepts in vulnerability research, then cover where you can go to learn more - and what to look for. We’ll suggest ways for you to choose what you analyze and provide tools and techniques you might want to use. We’ll discuss different disclosure models (only briefly, we promise!), talk about the different kinds of responses to expect from vendors, and give some advice on how to write useful advisories and how to go about publishing them. Then, we’ll finish up by covering some of the ‘mindset’ of vulnerability research, including skills and personality traits that contribute to success, the different stages of growth that many researchers follow, and the different feelings (yes, FEELINGS) that researchers can face along the way. Our end goal is to help you improve your chances of career success, so you can get a sense of where you are, where you want to go, and what you might want to do to get there. We will not dig too deeply into technical details, and we’d go so far as to say that some kinds of vulnerability research do not require deep knowledge anyway. Vulnerability research isn’t for everyone, but after this talk, maybe you’ll have a better sense of whether it’s right for you, and what to expect going forward.
Joshua J. Drake is the VP of Platform Research and Exploitation at Imperium Enterprise Mobile Security and lead author of the Android Hacker’s Handbook. Joshua focuses on original research such as reverse engineering and the analysis, discovery, and exploitation of security vulnerabilities. He has over 10 years of experience researching and exploiting a wide range of application and operating system software with a focus on Android since early 2012. In prior roles, he served at Occupant Labs, Rapid7’s Metasploit, and VeriSign’s iDefense Labs. Joshua previously spoke at Black Hat, DEF CON , RSA, CanSecWest, Recon, Ruxcon/Breakpoint, Toorcon, and DerbyCon. Other notable accomplishments include; helping spur mobile ecosystem change in 2015, exploiting Oracle’s JVM at Pwn2Own 2013, exploiting the Android browser via NFC with Georg Wicherski at Black Hat USA 2012, and winning DEF CON 18 CTF with ACME Pharm in 2010.
Steve Christey Coley is a Principal Information Security Engineer in the Cyber Security Division at The MITRE Corporation, supporting FDA CDRH on medical device cyber security. Steve was co-creator and Editor of the CVE list and chair of the CVE Editorial Board from 1999 to 2015. He is the technical lead for CWE, the Common Weakness Scoring System (CWSS), and the CWE/SANS Top 25 Software Most Dangerous Software Errors. He was a co-author of the influential ‘Responsible Vulnerability Disclosure Process’ IETF draft with Chris Wysopal in 2002. He was an active contributor to other community-oriented efforts such as CVSS, CVRF, and NIST’s Static Analysis Tool Exposition (SATE). His interests include adapting traditional IT security methodologies to new areas, software assurance, improving vulnerability information exchange, and making the cybersecurity profession more inclusive for anybody who seeks a place in it. He holds a B.S. in Computer Science from Hobart College.