Fuzzing: The fun of crash testing software
By Asavin Wattanajantra,
Crash-testing software is a fast-growing way to see which programs hold up the best, according to speakers at an Infosec press conference in London.
Already used by hackers for some time, destructive software testing – also called “fuzzing” or “fuzz testing” – is a penetration technique different from traditional security measures, which look for already known attacks and vulnerabilities.
Instead of waiting for code to fail, fuzz testing proactively tries to break it, sending systematically broken inputs into software in order to crash it. Such fuzzing is said to break 80 per cent of tested software, discovering unknown flaws.
Ari Takenen, chief technical officer for Codenomicon, compared it to crash testing in the auto industry, which helps make product safety comparisons between vehicles more meaningful. In IT, the same comparisons could be made between software products.
He said: “Anyone can do it. It doesn’t require core access to the source code and it’s a really useful way of comparing the security of different products. This helps buyers to make really good choices, just like the car industry.”
Takenen said all the major software companies have used fuzzing. HP and IBM have used “web fuzzing” products, he said. Although they didn’t necessarily use that name for the technique, this is where testers look for vulnerabilities on web portals using the crash-testing system.
Takenen said even Google has fuzzed: “They have some dedicated people who act as fuzzers, and you see it at many other companies as well.”
In 2007, Google released an open-source tool called ‘Flayer’, which finds multiple vulnerabilities in internet-critical products.
“I think they used their internal tools mostly in developing communication devices – mostly Android, as well as all those critical communications like e-mail,” Takenen said.
He said that fuzzing was a fast-growing market, with its applications used in different industries, from telecom service providers to critical industries such as finance, government and leading online commerce. Fuzzing products are built and licensed as software products or appliances, or offered as penetration testing and certification services.
Takenen also said that industry users from a number of control system users and manufacturers were investigating the feasibility of creating an organisation around fuzzing. This would establish a set of specifications and processes for the testing and certification of critical control systems products.
You may also like...
Sponsored Links
advertisement
You may also like...
Latest Security Analysis & Insight
What is your password worth?
Would you be tempted to sell off company passwords for a fee? If not, seems like you're in the minority, acccording to research.
- Macs under attack?
- Intel: security inside
- Are you spending too much on IT security?
- Does the government want to snoop on your data?
- Eurocrats versus the cyber criminals
- The truth about spam
- Google and privacy: What’s the problem?
- Q&A: Symantec’s CISO on the source code hack
- RSA: Back from the breach?
Latest Security Reviews
Check Point 2210 Appliance review
Rating: 
advertisement
Most popular
- Apple iPad 3 vs iPad 2 head-to-head review
- Dell EqualLogic PS6100XS review
- Chromebooks: What's gone wrong?
- ICO: Fines for cookie law breakers
- UK regulator shuts down Angry Birds scam
- Open source software driving cloud-based innovation
- Fujitsu targets enterprises with Android ICS tablet
- IBM bans use of Siri on iPhones
- Dell PowerEdge R820 review
- BlackBerry 7 OS certified to carry 'Restricted' UK government information
Latest News Videos in Security
IT PRO Podcast: Are UK data protection laws flawed?
PlayWe bring in two experts to talk about the problems with UK data protection law and the way it is managed.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
