When you do work in fuzzing domain, it is extremely challenging sometimes to get people to speak about it. Most people see that using fuzzing gives such a competitive edge that revealing the use of fuzzing tools would hurt them in the process. Things really changed during last year. We now have people reporting huge ROI using fuzzing (and publicly). We have leading Fortune-500 companies dictating the use of fuzzing in their RFPs in the procurement process. We also see marketing campaigns from companies like Google publicly advertising how proud they are that they also do fuzzing.
The BSIMM study by Cigital creates a new mile stone in the domain of market studies in fuzzing. It might not even attempt to describe how common the use of fuzzing is. The sample of companies also do not really indicate anything about the rest of the users of fuzzers. And the interview process itself might have not really given much emphasis on fuzzing, as all the authors really come from the static analysis mindset. But surprisingly enough, all top product security teams were found to be doing fuzzing already!
Another major milestone is studying the use of fuzzing is the inclusion of fuzzing related questions to the Forrester questionnaire, completed by thousands of CIO/CSO/CISO people annually.
I personally look forward to hearing what Cigital and Forrester have to say about the use of fuzzing. If you are interested, please give us a shout here: Fuzzing 101