Fuzz Testing Coming to Corporate Dev Shops?
Fuzz testing could be coming to an enterprise near you.
Fuzz testing may be close to jumping from the abstract domain of security research labs to real-world corporate dev shops as more third-party tools and frameworks become available, says author and security researcher Michael Sutton.
The technique of throwing inputs generated at random within a defined protocol at networks or apps to see whether a particular type of unexpected input causes a crash or security breach has been around for years. But the problem for enterprise developers and testers has been a lack of appropriate tooling.
"I haven't really seen it get to the enterprise," says Sutton, a security evangelist with security and testing vendor SPI Dynamics. "Today, for the most part, if you want to be doing fuzzing you have to develop your own apps for that."
But Sutton says that's beginning to change, with a fledgling market for fuzz-testing tools taking hold and a few vendors entering the space. He argues dev shops should be at least looking into fuzz testing, or "fuzzing," especially to probe for potential problems in their Web apps.
||"I haven't really seen it get to the enterprise. Today, for the most part, if you want to be doing fuzzing you have to develop your own apps for that."
|Michael Sutton, Author and Security Evangelist,
Fuzz-testing vendor Codenomicon Ltd. was funded by two major European venture capital funds in 2005 to commercialize "systematic simulation of exceptional situations" technology based on research and development that began more than a decade ago at the University of Oulu in Finland. Another fuzz-testing vendor, Mu Security, was founded in 2005 by engineers from Juniper Networks Inc.
Max Caceres, director of product management for penetration testing vendor Core Security Technologies, also says he hasn't yet come across many in-house dev shops employing fuzz testing, in part because tools like Codenomicon and Mu are more focused on finding vulnerabilities in a company's Web infrastructure than in apps.
"The higher you go up on the application stack, the less applicable they are," Caceres says.
But several new fuzzing frameworks seem more promising for enterprise developers. The frameworks provide a collection of libraries of reusable code that allows shops to build a custom tool without starting from scratch, Sutton says.
The Peach Fuzzer Framework -- an open-source, cross-platform testing framework written in Python -- helps developers and testers assemble custom fuzzing tools to throw at anything from shared libraries and DLLs to Web apps, says its creator, Michael Eddington.
Another framework, dubbed Sulley, was unveiled earlier this year at the Black Hat 2007 show by Pedram Amini, who co-wrote the book "Fuzzing: Brute Force Vulnerability Discovery" (Addison-Wesley Professional, 2007) with Sutton and Cody Pierce. Sulley is designed to fuzz in parallel to complete tests faster and to automatically log the inputs that trigger faults in an app.
"It's very appropriate for the developer," Sutton says of the new frameworks. "Once that tool is built, the programmer or the QA person can do the testing just as easily as a security team, and, if need be, they can always bring in a security researcher to determine if a fault they find is exploitable."
As for third-party fuzzing tools that dev shops can throw at their apps right out of the box, Caceres says vendors won't ship such tools anytime soon. "I think they may move in that direction. It sounds reasonable," he adds. "I'm not sure how long it will take, though. Put it this way: They'll have a lot of work on their plate."