Nothing Special   »   [go: up one dir, main page]

Skip to main content

Security Professional Skills Representation in Bug Bounty Programs and Processes

  • Conference paper
  • First Online:
Service-Oriented Computing – ICSOC 2020 Workshops (ICSOC 2020)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 12632))

Included in the following conference series:

Abstract

The ever-increasing amount of security vulnerabilities discovered and reported in recent years are significantly raising the concerns of organizations and businesses regarding the potential risks of data breaches and attacks that may affect their assets (e.g. the cases of Yahoo and Equifax). Consequently, organizations, particularly those suffering from these attacks are relying on the job of security professionals. Unfortunately, due to a wide range of cyber-attacks, the identification of such skilled security professional is a challenging task. One such reason is the “skill gap” problem, a mismatch between the security professionals’ skills and the skills required for the job (vulnerability discovery in our case). In this work, we focus on platforms and processes for crowdsourced security vulnerability discovery (bug bounty programs) and present a framework for the representation of security professional skills. More specifically, we propose an embedding-based clustering approach that exploits multiple and rich information available across the web (e.g. job postings, vulnerability discovery reports) to translate the security professional skills into a set of relevant skills using clustering information in a semantic vector space. The effectiveness of this approach is demonstrated through experiments, and the results show that our approach works better than baseline solutions in selecting the appropriate security professionals.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://thehill.com/policy/cybersecurity/483853-defense-department-agency-suffers-potential-data-breach.

  2. 2.

    https://www.theguardian.com/business/2014/oct/02/jp-morgan-76m-households-affected-data-breach.

  3. 3.

    https://www.nytimes.com/2019/07/22/business/equifax-settlement.html.

  4. 4.

    https://www.technologyreview.com/s/612309/a-cyber-skills-shortage-means-students-are-being-recruited-to-fight-off-hackers/.

  5. 5.

    https://cybersecurityventures.com/.

  6. 6.

    https://ec.europa.eu/esco/portal/skill.

  7. 7.

    https://csrc.nist.gov/glossary.

  8. 8.

    https://hackerone.com/reports/662204.

  9. 9.

    https://www.hackerone.com/.

  10. 10.

    https://au.indeed.com/.

  11. 11.

    https://www.monster.com/.

  12. 12.

    https://hackerone.com/sony.

  13. 13.

    https://app.cobalt.io/pentesters.

  14. 14.

    https://www.nist.gov/itl/applied-cybersecurity/nice.

  15. 15.

    https://www.synack.com/red-team/.

  16. 16.

    https://www.upwork.com/.

  17. 17.

    https://www.mozilla.org/en-US/security/bug-bounty/.

References

  1. Al-Banna, M., Benatallah, B., Barukh, M.C.: Software security professionals: expertise indicators. In: 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC), pp. 139–148 (2016)

    Google Scholar 

  2. Al-Banna, M., Benatallah, B., Schlagwein, D., Bertino, E., Barukh, M.C.: Friendly hackers to the rescue: how organizations perceive crowdsourced vulnerability discovery. In: PACIS, p. 230 (2018)

    Google Scholar 

  3. Bastian, M., et al.: Linkedin skills: large-scale topic extraction and inference. In: Proceedings of the 8th ACM Conference on Recommender Systems, pp. 1–8 (2014)

    Google Scholar 

  4. Blei, D.M., Ng, A.Y., Jordan, M.I.: Latent Dirichlet allocation. J. Mach. Learn. Res. 3, 993–1022 (2003)

    MATH  Google Scholar 

  5. Christopher, D.M., Prabhakar, R., Hinrich, S.: Introduction to information retrieval. Int. Inf. Retrieval 151(177), 5 (2008)

    MATH  Google Scholar 

  6. Council, N.R., et al.: A database for a changing economy: review of the Occupational Information Network (O* NET). National Academies Press (2010)

    Google Scholar 

  7. Dave, V.S., Zhang, B., Al Hasan, M., AlJadda, K., Korayem, M.: A combined representation learning approach for better job and skill recommendation. In: Proceedings of the 27th ACM International Conference on Information and Knowledge Management, pp. 1997–2005. ACM (2018)

    Google Scholar 

  8. Dehghan, M., Abin, A.A.: Translations diversification for expert finding: a novel clustering-based approach. ACM Trans. Knowl. Discov. Data (TKDD) 13(3), 1–20 (2019)

    Article  Google Scholar 

  9. Finifter, M., Akhawe, D., Wagner, D.: An empirical study of vulnerability rewards programs. In: Proceedings of the 22nd USENIX conference on Security, pp. 273–288 (2013)

    Google Scholar 

  10. Giboney, J.S., Proudfoot, J.G., Goel, S., Valacich, J.S.: The security expertise assessment measure (seam): developing a scale for hacker expertise. Comput. Secur. 60, 37–51 (2016)

    Article  Google Scholar 

  11. Ha-Thuc, V., et al.: Search by ideal candidates: next generation of talent search at linkedin. In: Proceedings of the 25th International Conference Companion on World Wide Web, pp. 195–198 (2016)

    Google Scholar 

  12. Hata, H., Guo, M., Babar, M.A.: Understanding the heterogeneity of contributors in bug bounty programs. In: 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), pp. 223–228. IEEE (2017)

    Google Scholar 

  13. Hughes, S.: How we data-mine related tech skills (2015). https://insights.dice.com/2015/03/16/how-we-data-mine-related-tech-skills/?ads_kw=idf

  14. Javed, F., Hoang, P., Mahoney, T., McNair, M.: Large-scale occupational skills normalization for online recruitment. In: Twenty-Ninth IAAI Conference (2017)

    Google Scholar 

  15. Kaufman, L., Rousseeuw, P.J.: Finding Groups in Data: An Introduction to Cluster Analysis, vol. 344. Wiley, New York (2009)

    MATH  Google Scholar 

  16. Kivimäki, I., et al.: A graph-based approach to skill extraction from text. In: Proceedings of TextGraphs-8 Graph-Based Methods for Natural Language Processing, pp. 79–87 (2013)

    Google Scholar 

  17. Liu, M., Wang, J., Abdelfatah, K., Korayem, M.: Tripartite vector representations for better job recommendation. arXiv preprint arXiv:1907.12379 (2019)

  18. Maillart, T., Zhao, M., Grossklags, J., Chuang, J.: Given enough eyeballs, all bugs are shallow? revisiting eric raymond with bug bounty programs. J. Cybersecur. 3(2), 81–90 (2017)

    Article  Google Scholar 

  19. Malladi, S.S., Subramanian, H.C.: Bug bounty programs for cybersecurity: practices, issues, and recommendations. IEEE Software 37(1), 31–39 (2019)

    Article  Google Scholar 

  20. Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013)

  21. Miller, G.A.: Wordnet: a lexical database for English. Commun. ACM 38(11), 39–41 (1995)

    Article  Google Scholar 

  22. Mumtaz, S.: People selection for crowdsourcing tasks: representational abstractions and matching techniques. Ph.D. thesis, School of Computer Science and Engineering, Faculty of Engineering, UNSW Sydney (2020)

    Google Scholar 

  23. Mumtaz, S., Rodriguez, C., Benatallah, B.: Expert2vec: experts representation in community question answering for question routing. In: International Conference on Advanced Information Systems Engineering, pp. 213–229 (2019)

    Google Scholar 

  24. Mumtaz, S., Rodriguez, C., Benatallah, B., Al-Banna, M., Zamanirad, S.: Learning word representation for the cyber security vulnerability domain. In: 2020 International Joint Conference on Neural Networks (IJCNN), pp. 1–8. IEEE (2020)

    Google Scholar 

  25. Mumtaz, S., Wang, X.: Identifying top-k influential nodes in networks. In: the 26th ACM International Conference on Information and Knowledge Management, pp. 2219–2222 (2017)

    Google Scholar 

  26. Potter, L.E., Vickers, G.: What skills do you need to work in cyber security?: a look at the australian market. In: Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, pp. 67–72 (2015)

    Google Scholar 

  27. Shankaralingappa, D.M., De Fransicsi Morales, G., Gionis, A.: Extracting skill endorsements from personal communication data. In: Proceedings of the 25th ACM International on Conference on Information and Knowledge Management, pp. 1961–1964 (2016)

    Google Scholar 

  28. Wang, Z., Li, S., Shi, H., Zhou, G.: Skill inference with personal and skill connections. In: Proceedings of COLING 2014, the 25th International Conference on Computational Linguistics: Technical Papers, pp. 520–529 (2014)

    Google Scholar 

  29. Zhang, C., et al.: Taxogen: unsupervised topic taxonomy construction by adaptive term embedding and clustering. In: Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, pp. 2701–2709 (2018)

    Google Scholar 

  30. Zhao, M., Javed, F., Jacob, F., McNair, M.: Skill: a system for skill identification and normalization. In: Twenty-Seventh IAAI Conference (2015)

    Google Scholar 

  31. Zhao, M., Grossklags, J., Liu, P.: An empirical study of web vulnerability discovery ecosystems. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1105–1117 (2015)

    Google Scholar 

  32. Zhou, W., Zhu, Y., Javed, F., Rahman, M., Balaji, J., McNair, M.: Quantifying skill relevance to job titles. In: 2016 IEEE International Conference on Big Data (Big Data), pp. 1532–1541. IEEE (2016)

    Google Scholar 

Download references

Acknolwedgement

This research was done in the context of the first author’s Ph.D. thesis [22]. We thank Scientia Prof. Boualem Benatallah for the useful feedbacks provided on this work.

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Sara Mumtaz or Carlos Rodriguez .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mumtaz, S., Rodriguez, C., Zamanirad, S. (2021). Security Professional Skills Representation in Bug Bounty Programs and Processes. In: Hacid, H., et al. Service-Oriented Computing – ICSOC 2020 Workshops. ICSOC 2020. Lecture Notes in Computer Science(), vol 12632. Springer, Cham. https://doi.org/10.1007/978-3-030-76352-7_33

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-76352-7_33

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-76351-0

  • Online ISBN: 978-3-030-76352-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics