Fuzzing: The fun of crash testing software
It’s been around a while with the major companies, but it is fast becoming a popular way to compare the security of different software products.
Crash-testing software is a fast-growing way to see which programs hold up the best, according to speakers at an Infosec press conference in London.
Already used by hackers for some time, destructive software testing also called "fuzzing" or "fuzz testing" is a penetration technique different from traditional security measures, which look for already known attacks and vulnerabilities.
Instead of waiting for code to fail, fuzz testing proactively tries to break it, sending systematically broken inputs into software in order to crash it. Such fuzzing is said to break 80 per cent of tested software, discovering unknown flaws.
Ari Takenen, chief technical officer for Codenomicon, compared it to crash testing in the auto industry, which helps make product safety comparisons between vehicles more meaningful. In IT, the same comparisons could be made between software products.
He said: "Anyone can do it. It doesn't require core access to the source code and it's a really useful way of comparing the security of different products. This helps buyers to make really good choices, just like the car industry."
Takenen said all the major software companies have used fuzzing. HP and IBM have used "web fuzzing" products, he said. Although they didn't necessarily use that name for the technique, this is where testers look for vulnerabilities on web portals using the crash-testing system.
Takenen said even Google has fuzzed: "They have some dedicated people who act as fuzzers, and you see it at many other companies as well."
In 2007, Google released an open-source tool called Flayer', which finds multiple vulnerabilities in internet-critical products.
"I think they used their internal tools mostly in developing communication devices mostly Android, as well as all those critical communications like e-mail," Takenen said.
He said that fuzzing was a fast-growing market, with its applications used in different industries, from telecom service providers to critical industries such as finance, government and leading online commerce. Fuzzing products are built and licensed as software products or appliances, or offered as penetration testing and certification services.
Takenen also said that industry users from a number of control system users and manufacturers were investigating the feasibility of creating an organisation around fuzzing. This would establish a set of specifications and processes for the testing and certification of critical control systems products.
How inkjet can transform your business
Get more out of your business by investing in the right printing technologyDownload now
Journey to a modern workplace with Office 365: which tools and when?
A guide to how Office 365 builds a modern workplaceDownload now
Modernise and transform your sales organisation
Learn how a modernised sales process can drive your businessDownload now
Your guide to managing cloud transformation risk
Realise the benefits. Mitigate the risksDownload now