NCC Group’s latest Research Insights paper provides a view on modern vulnerability discovery approaches.
The identification of vulnerabilities and understanding what is involved in their exploitation has numerous applications in both the attack and defence side of cyber security.
The way in which software vulnerabilities are discovered has evolved considerably over the last 20 years in terms of techniques, efficiency and the complexity of the issues found. What was once a mostly manual process has, over time, become increasingly automated and augmented to facilitate not only discovery, but also triage and sometimes exploitation.
However, while this automation and augmentation has helped the process of vulnerability discovery considerably, it has not addressed all the challenges faced with increasingly esoteric weaknesses being discovered by highly skilled individuals. These often subtle logic bugs are challenging to find in an automated fashion and typically rely on a large body of knowledge and experience being applied to a particular set of circumstances.
The paper is aimed at individuals with a technical background who are responsible for identifying, understanding, mitigating or responding to security vulnerabilities in software.