Advanced Fuzzing Services
Advanced Vulnerability Discovery by the Fuzzing Experts at VDA Labs
Fuzzing is an advanced form of Dynamic Application Security Testing that is used by many of the worlds leading software development organizations to discover issues in their code. Fuzz testing finds errors in software in a way that human driven testing simply can’t – by testing millions or more variations of different input that can be given to a piece of code to detect crashes, bugs, and security vulnerabilities.
Uncovering these deep security issues is more critical than ever, and VDA can help bring fuzz testing into your software security program to help discover issues and more. The team at VDA has a rich background working with fuzzing – in fact our founder, Dr.Jared DeMott, wrote his PHD thesis on “Enhancing Automated Fault Discovery and Analysis” and has since co-authored a book on the topic, “Fuzzing for Software Security Testing and Quality Assurance“. We also regularly teach fuzzing techniques as a part of our Application Security for Hackers and Developers course – a world class training course offered at Black Hat and other information security conferences.
Interested in advanced app sec through fuzzing?
VDA Labs is honored to share our fuzzing expertise via partnership with Microsoft and their Security Risk Detection product that is designed to allow implementation of fuzzing as well as web application dynamic testing within the SDLC.
Advanced Fuzzing Explained
Fuzz testing began with a simple set of options – mutation (changing an existing input) vs. generation (creating new inputs from scratch). Now, however, there are many more options – protocol fuzzers can target network services, smart fuzz testers know something about the format they are fuzzing to try to be more targeted, and the best fuzzers use some degree of instrumentation to guide their progress of testing in order to exercise all branches of code (known as code coverage). Even more importantly – you have to go big. The best fuzzing systems today utilize massive parallel scaling to cover more test cases in a shorter period of time. This adds more complexity in terms of reporting crashes and triage, but gains much better coverage via the capability of running millions of test cases in a short period of time.
The VDA team of experts has deep knowledge of modern fuzzing practices. This means knowing what type of fuzzer can be used where, having the ability to create custom fuzzers for new protocols, or instrumenting binaries to assess vulnerabilities with LibFuzzer or AFL. Below are some examples from our blog showing this:
What sorts of issues can fuzz testing find?
Software bugs can lay latent in code for years or even decades without detection – one example of this was the ShellShock vulnerability – which existed in the BASH shell for 25 years! That said, the goal of fuzzing is to exercise code in a way that discovers latent issues in a much shorter timeframe. While not every bug identified by fuzzing is necessarily a security nightmare, any developer worth their salt will also be interested in some of the other issues commonly found through fuzzing. The overall picture includes:
- Security Exposures / Vulnerabilities
- Denial of Service Conditions (DoS)
- Performance Degradations
- Anomalous Behavior
Fuzz Testing in the SDLC
Many development organizations have been taking notice of the power of fuzz testing and looking into strengthening the security of their products by integrating fuzzing into the SDLC. Fuzzing used to be considered a fringe activity that was difficult to stand up, but that is also changing with new tooling that can be fed directly from the CI/CD pipeline to kick of fuzz testing, much like some organizations run automated static analysis (SAST) and dynamic analysis (DAST) based on their dev pipelines.
Microsoft’s MSRD product specifically has deep integrations with Azure DevOps in order to power fuzzing during the standard development workflow. This enables your teams to continue moving fast while still gaining the benefits of deep testing offered by fuzzing.
VDA Labs provides consulting services that help organizations implement MSRD (or other fuzzing platforms) to help secure their products. Contact us today to see how fuzzing can help add an additional layer of assurance to your most critical projects.
Don't Be Shy
We would love to hear from you - send us an email from our contact page!