In order to find software flaws and vulnerabilities, fuzzing, also known as fuzz testing, involves injecting erroneous, abnormal, or unexpected inputs into a system. A fuzzing tool introduces these inputs into the system and then checks for anomalies like crashes or data leaks. Fuzzing, to put it another way, is the process of introducing unexpected inputs into a system while monitoring for any unfavorable responses from the system that might point to security, performance, or quality flaws.
The history of fuzz testing
Fuzz testing is unique in another sense as well: the concept’s origin is the subject of a tale. Barton Miller, a professor at the University of Wisconsin – Madison, attempted to view code remotely via a dial-up connection in 1988, but the program kept crashing due to feedback from a rainstorm. Miller and his students’ study was motivated by the hypothesis that code could not withstand extraneous “noise.” They noticed that when triggered by random, unexpected inputs, Windows, Mac, and Unix programs would frequently crash. Fuzzing for Software Security Testing and Quality Assurance was written in part by Miller.
Companies Implementing Fuzz Testing
Fuzzing is being used by some of the biggest and most reputable companies in the world as part of their quality assurance and cybersecurity efforts:
Millions of lines of code in Chrome are inspected and safeguarded using fuzzing by Google. Through internal fuzz testing, Google found more than 20,000 vulnerabilities in Chrome in 2019.
Fuzzing is a stage in the software development lifecycle used by Microsoft to identify flaws and increase the reliability of its products.
Fuzz testing is a required component of software development procedures according to the DevSecOps Reference Design and the Application Security Guide published by the US Department of Defense (DoD).
Types of fuzz testing
Fuzz testing can be divided into two categories: behavioral and coverage-guided.
Coverage-guided fuzz testing concentrates on the source code while the application is in operation, probing it with arbitrary challenges to find bugs. With each new test, the intention is to cause the application to crash. A crash indicates a potential issue, and information obtained from the coverage-guided fuzz testing procedure will enable a tester to replicate the crash, which is useful when attempting to discover at-risk code.
Different principles govern behavioral fuzz testing. The mismatch between the expected and the reality is typically where vulnerabilities or other potential security issues can be found. Using specs to show how an application should work, it employs random inputs to determine how the program actually performs.
Benefits of fuzz testing
Due to its random nature, experts think fuzz testing is crucial for DevSecOps since it’s the approach most likely to uncover problems that other tests have missed. It’s also regarded as a testing approach that requires remarkably little work, or what some prefer to refer to as “set it and forget it.” Fuzz testing is entirely automated once the test harness is established and will continue to run indefinitely. It is a fantastic option for regression testing and can readily scalable by spinning up more machines.
The use of fuzzy testing in conjunction with a manual testing team is also recommended because each set of inputs will benefit the other.
Fuzzing Practice
Testing continually is the best way to use fuzzing. Fuzzing should therefore be incorporated into CI/CD (Continuous Integration / Continuous Delivery) pipelines. As a result, developers can swiftly resolve security vulnerabilities before they become an issue and benefit from fast feedback cycles. However, developers should take care not to overly stall the workflow while using CI/CD fuzzing. This is because, in some cases, fuzzing can take a very long period.
By establishing certain time windows for fuzzing, this issue can be resolved. For instance, between the hours of 10 p.m. and 6 a.m. Alternately, by regularly running regression tests. To avoid having to start from zero with each test, the fuzzer can also assume control of the corpus and crash inputs from earlier test runs.
It can also be helpful to incorporate fuzzing tools into code hosting platforms like Gitlab or GitHub when working in bigger development teams. This makes it easier for teams to communicate and notifies developers if a pull request encounters an issue. Such linkages, in addition to practical interfaces to issue tracking platforms like Jenkins and Jira, are provided by certain commercial fuzzing solutions.
Modern Java programs include dependencies that can be exploited for vulnerabilities that can be used to quickly disseminate malicious data across several microservices. Attackers can frequently gain access to significant portions of the entire web backend using a modest entry point since many microservices fully trust inputs from internal sources. The RCE discovered in the well-known Java library log4j, which had an impact on thousands of Java applications worldwide, most recently demonstrated this.