Over the last decade, there’s been an uptick in progressive Silicon Valley tech behemoths adopting an application security testing technique called continuous fuzzing. While effective, fuzzing largely remains a hidden secret to the larger developer and security communities.
In an effort to demystify continuous fuzzing, ForAllSecure’s CEO Dr. David Brumley offered a technical overview of the technique via a webinar on February 11, 2020. In this webinar, Brumley shared more about this proven and accepted technique, and further details on how organizations new to fuzzing can get started.
Don’t have time to tune in? You’re in luck. A replay of the webinar is available here: https://www.brighttalk.com/webcast/17668/385891
We’ve also synthesized the top 3 takeaways from the webinar:
It’s commonly believed that the purpose of application security testing solutions is to help organizations release secure applications. Leading this charge is the security group, so, of course, it’s important that results from the AST tools are consumable by security teams.
However, it’s important to bear in mind that AST tools are often used by the developers. Thus, these solutions must also be built with the developer productivity in mind. Developers are often measured by the number of lines of code written or the number of features built. The number of vulnerabilities, or lack thereof, speaks little to their productivity and the impact they’ve had in the latest release. What we’ve learned does resonate with developers, on the other hand, is how much code coverage the application security testing tool had or how many new test cases the application security testing tool generated to test their features. As organizations evaluate AST tools, they must bear in mind the pain they’re aiming to resolve, from both the developer and security analyst perspective.
Many organizations see security as a “checkpoint” -- a process that is run and done. Brumley advocates that in order to outpace the attackers, security must be conducted continuously.
Let’s dissect what Brumley means by “running a continuous check.” Often, application security testing solutions come equipped with prebuilt test suites. These tools test the same areas of code with each run. New users will initially see tremendous ROI, uncovering many defects early on. However, as they run their test suite over and over again, they’ll eventually find less and less defects. It’s true; When organizations find less defects over time, it can mean their software is becoming increasingly secure. However, it can also mean that defects are becoming concentrated in untested code areas. Thus, it is advantageous to find a technique, such as guided-fuzzing or instrumented-fuzzing, that is able to take in feedback from a target and autonomously generate test cases on-the-fly, allowing the test suite to grow with the target. The longer the fuzzer runs, its test suite grows, generating test cases that reach deeper and deeper into the app for increasingly thorough testing. This approach allows organizations to continuously run testing in the background, even after release. When testing for the latest release and development for the upcoming release are done simultaneously, organizations are able to drive efficiency. This is what allows organizations to alter their software security trajectory.
A truly effective continuous security testing solution must have two key capabilities:
Interested in getting started? Brumley proposes a series of questions for organizations to consider as they aim to find the right next-generation fuzzer for them. He also recommends a variety of solutions -- including both open source and commercial tools -- to help get continuous testing programs started. Tune in at the following link for more information: https://www.brighttalk.com/webcast/17668/385891
Thank you for subscribing!