Posts Tagged ‘Generic Fuzzing Discussion’

Microsoft SDL for Agile, and then some fuzzing

Wednesday, November 11th, 2009

From Visual Studio Magazine:

2009/11/10/qa-bryan-sullivan-sdl

Microsoft Security Program Manager in the SDL team, Bryan Sullivan: “It is important to fuzz your parsing code periodically, but you are probably not going to find so many potential vulnerabilities doing so that you need to fuzz it every sprint.”

Interestingly, with some type of fuzzing you do not need to be that picky. In many environments that I have visited, fuzzing is automated to the build process, i.e. automatically when the code builds, the fuzz process starts in the background. And why not? It is not like you need any person to monitor a fuzz process especially if you do not expect to find anything. Fuzzing actually fits very nicely to any programmers’ automated unit test process, especially if you are coding protocol stacks or simple applications on top of industry standard protocols such as HTTP, SOAP and SIP.

Fuzzing Is A Surprise To Some, But Not To Us - Right?

Wednesday, January 7th, 2009

Check out this article.

The authors (Gary McGraw, Brian Chess, and Sammy Migues) interviewed leading product security teams in the industry, and collected the findings. The most important discovery (or maybe the biggest surprise to the authors?) was:

0. Fuzz testing is widespread.
What kind of “last bullet” is that on a top ten list?! Let us explain. Way back in 1997 in the book Software Fault Injection, Jeff Voas and McGraw wrote about many kinds of testing that can be imposed on software. We wondered whether security was a special case for software testing. One classic way to probe software “reliability” is to send noise to a program and see what happens, i.e., fuzzing. Somehow the security community has morphed this technique into a widely applied way to look for software security problems. Wow. Who would have guessed that reliability trumps security?”

The importance of finding real and certainly critical issues in software has finally been noted as the highest priority by all leading security organizations! But we knew that, because we have been helping them in the process. ;)