Fuzzing: New Tests for Robustness and Security

Traditional security measures are doomed to fail because they are focused only on defending against known attacks-and studies show that more than 80 percent of software will likely crash when extensive negative testing is employed. Fuzzing is a new, proactive technique for discovering security vulnerabilities and robustness issues in software. Although fuzz testing is most often based on some form of syntax checking, random input testing also can be appropriate. Fuzzing is valuable during development when application testers use the technique to surface issues and in production when security testers use it for audits. Any type of system can be fuzz tested-from enterprise solutions to consumer products such as mobile phones and set-top TV cable boxes. Ari Takanen discusses the origins of fuzzing, explains the different technologies used by fuzzers, and identifies current fuzzing tools, their uses and limitations. Ari describes various metrics related to fuzzing that allow you to measure effectiveness and compare the efficiency of various tools.