Fuzzing is the only proactive security assessment technique for analyzing closed-source software components, and I am a strong supporter of using fuzzing in the software development life-cycle. Earlier, in my blog entry titled Fuzzing Is Still Widely Unknown, I commented the fact that everyone is already doing fuzzing. Now that the BSIMM study is public, we can analyze it a bit further.
BSIMM was built by interviewing nine leading product security initiatives, including Adobe, DTCC, EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. Individual interviews were aimed at finding the key activities that made those initiatives successful. The list of most common product security activities included the use of security testing tools (fuzzing) in the quality assurance process (all interviewed organizations admitted doing this). Also seven out of the nine product security teams said they use customized fuzzing frameworks. The level of detail from fuzzing perspective does not reveal much, yet.
Another interesting aspect of studying fuzzing usage is by interviewing the general security audience and their use of fuzzing tools. Forrester research sends out a questionnaire to thousands of leading security people, and has questions regarding usage of fuzzing. Most fuzzing frameworks are extremely complex scripting environments which you would not expect to see your own CIO or CSO (or her team) using. On the other hand commercial tools take the opposite approach, being just point and click tools where the most complex thing you need to know is the IP address of the test target. If fuzzing is really been adopted as the best practise in product security, one could assume that the commercial tools would show up in a study like this.
We reached out to Cigital and Forrester, and managed to get them together for a Fuzzing 101 webinar. Dr.Chenxi Wang (Forrester) and Sammy Migues (Cigital) will explore the area of fuzzing usage together with me, and at least I personally look forward to seeing what will come out of it.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
