In 2001, the CERT Coordination Center received reports of 2,437 software security flaws in widely used software. This marked a significant increase over previous years and mirrored the findings of several other security-tracking agencies (see, for example, reports athttp://www.nipc.gov/cybernotes/2001/cyberissue2001-26.pdf and http://www.securityfocus.com ).
The effect of this burgeoning bug-finding fever has permeated the world in very interesting ways, ranging from the development of software programs that exploit vulnerabilities to increased mainstream press coverage to heated debates in the information security community over how to disclose findings. Of course, the increase in bugs also gave the technology industry itself a stream of bad publicity—and fodder for aggressive marketing campaigns.
Despite all this, little has been said about the actual bug finding process itself. As the “Myth vs. Reality” sidebar describes, the practice is shrouded in misinformation. Although the general public is well acquainted with terms like “hacker,” “bug,” and “virus,” neither they nor many information security professionals themselves know how bug hunters find vulnerabilities or what systematic techniques they use. Here, I’ll offer an overview of that process.