Fuzzing and Product Security
Fuzzing is the only proactive security assessment technique for analyzing closed-source software components, and I am a strong supporter of using fuzzing in the software development life-cycle. Earlier, in my blog entry titled Fuzzing Is Still Widely Unknown, I commented the fact that everyone is already doing fuzzing. Now that the BSIMM study is public, we can analyze it a bit further.
BSIMM was built by interviewing nine leading product security initiatives, including Adobe, DTCC, EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. Individual interviews were aimed at finding the key activities that made those initiatives successful. The list of most common product security activities included the use of security testing tools (fuzzing) in the quality assurance process (all interviewed organizations admitted doing this). Also seven out of the nine product security teams said they use customized fuzzing frameworks. The level of detail from fuzzing perspective does not reveal much, yet.
Another interesting aspect of studying fuzzing usage is by interviewing the general security audience and their use of fuzzing tools. Forrester research sends out a questionnaire to thousands of leading security people, and has questions regarding usage of fuzzing. Most fuzzing frameworks are extremely complex scripting environments which you would not expect to see your own CIO or CSO (or her team) using. On the other hand commercial tools take the opposite approach, being just point and click tools where the most complex thing you need to know is the IP address of the test target. If fuzzing is really been adopted as the best practise in product security, one could assume that the commercial tools would show up in a study like this.
We reached out to Cigital and Forrester, and managed to get them together for a Fuzzing 101 webinar. Dr.Chenxi Wang (Forrester) and Sammy Migues (Cigital) will explore the area of fuzzing usage together with me, and at least I personally look forward to seeing what will come out of it.