Santa Cruz Tech Beat

Companies

What is “Continuous Fuzzing”?

By David Moore
Fuzz Stati0n Founder and CEO

September 28, 2017 — Santa Cruz, CA

[Editor’s note: Santa Cruz Tech Beat published Fuzz Stati0n Wins International Tech Trailblazer Competition for “Firestarter of the Year” (3/2/17).]

Fuzz testing is a dynamic technique that bombards a target application with crafted input to force the execution of unanticipated paths, leading to potentially exploitable crashes. Recently, new, groundbreaking “smart” fuzzers such as AFL and libFuzzer have proven very effective and have found many security vulnerabilities (such as buffer overflows and use-after-frees) in C and C++ applications.

Fuzz testing has traditionally been done by outside security consultants as part of a occasional “point-in-time” security audit or pentest. The problem with this is that the vulnerable software may have already been released to customers — or more code has been developed which depends on the buggy part of the application.

Software companies and development organizations are beginning to add a fuzz run as a routine part of the build and test (or continuous integration) cycle to find memory corruption bugs as early as possible and prior to release of the code. These companies save significant amounts of money by finding bugs early when they are much cheaper to fix.

Continuous Fuzzing is constantly having a fuzz test running and only restarting it periodically or when code is modified or new code is added. Depending on how often code is changed, this might mean restarting the fuzz run:

  • On every push to a source code control server.
  • Or, if this is too frequent, restarting the run every 24 hours targeting the latest build.

At Fuzz Stati0n, we use the term Continuous Fuzzing to describe how our cloud based fuzzing infrastructure is leveraged by our customers.

For information on Fuzz Stati0n’s scalable, cloud based continuous fuzz testing solution (and our new training offering), please see our website.

###

Originally published here: https://www.linkedin.com/pulse/what-continuous-fuzzing-david-moore/

###

Tagged

Related Posts

Sign up for our free weekly email digest!

Follow Now

Facebook Feed

We celebrated Santa Cruz Tech Beat's 5th Anniversary last Friday at NextSpace Coworking + Innovation

Thank you to our partners for your support!

youtu.be/bE-Xzi41Xlw?t=55s

South Swell Ventures, Central Coast Angels, UC Santa Cruz, Jack Baskin School of Engineering, Plantronics, Looker, City of Santa Cruz Economic Development Office, Launch Brigade, Amazon, City of Salinas, California State University, Monterey Bay, NextSpace Coworking + Innovation, Community Foundation Santa Cruz County, SCCBC - Santa Cruz County Business Council, Haynes Beffel & Wolfeld, Cabrillo College, Network Management Solutions, @paystand, Dignity Health Medical Networks, Buoy Labs, Angels by the Sea, County of Santa Cruz.Sara Isenberg founder of Santa Cruz Tech Beat at the Nextspace Happy Hour. Congrats to five years! Santa Cruz Tech Beat: www.santacruztechbeat.com Con...
... See MoreSee Less

14 hours ago  ·  

View on Facebook