About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Code auditing is not the same as vulnerability research- 1533

sha1lanPosted 1 Year Ago
  • Cybersecurity is an incredibly broad topic. Even the category of offensive cybersecurity is quite broad. In this article, they do a comparison between code auditing and vulnerability research.
  • Vulnerability research is all about understanding the practical threat landscape of a system or area of code. In this work, vulnerabilities are not enough. Instead, we care about how exploitable these bugs are and the real impact they can have given the constraints of real attackers. The output of a real proof of concept can even be helpful.
  • Code auditing has the goal of improving security within an area of code over a given time frame. This is usually about finding the greatest number of bugs without an emphasis on real exploitability. Code quality or configuration improvements, like missing binary protections, can be found here as well as actual bugs.
  • Both of these are valuable but serve different purposes. If it's a new codebase that's about to ship then a code audit to find many issues is a good idea. If vulnerability research was done on the codebase then they would likely find only a few horrible things but leave many risks and bugs still in there that weren't worth tracking down.
  • Sometimes, it's the opposite though - vulnerability research is needed instead of a code audit. On a large codebase with lots of risk in a merger and acquisition or bug bounty are good examples of when this is necessary. If fuzzing is done on a library with little to no exposure to the outside world and lots of shadow bugs are found, it's not a realistic view of the security of the application. Instead, decisions should be made on the most impactful locations and bugs should attempted to be found in this.
  • According to the author, the latter case is more likely to happen. A common issue is when the client signals that higher quantity of bugs is better than a few high impact ones, which leads to a code audit instead of vulnerability research. A good way to assess this (to me) is the likelihood and impact metrics.
  • Overall, a good article on the differences between a code audit and vulnerability research! They are different things that are similar, leading to issues within various organizations.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed