[fuzzing] fuzzing the corporate world
ge at linuxbox.org
Mon Jan 15 17:19:31 CST 2007
After a couple of folks said they liked it, I figured it is on-topic
enough to send it here. This is my lecture from CCC, I hope you like it
(I swear in it.. it's defcon-like, be warned PG-13).
It basically describes fuzzing and how it can be/is implemented in the
corporate world/as part of the development process/as certification/as
testing... etc. and how a fuzzer can be built to fit what the corporate
world is looking for.
This is not a technical lecture in any way - so skip it if that's what you
are looking for. We do cover the basics of black box testing with fuzzing,
>From the talk description:
(an updated PDF of the presentation should be there soon)
Fuzzing in the corporate world
The use of fuzzing in the corporate world over the years and recent
implementation of fuzzing tools into the development cycle and as a
requirement before purchase
We will discuss fuzzing uses by software vendors and in the corporate
world, for security auditing ("fuzzing before release") and third party
testing ("fuzzing before purchase"). We will look at what contributed to
this change in the use of fuzzing tools from home-grown hacking tools to
commercial products, as well as how these organizations implement fuzzing
into their development cycle.
Fuzzing has been used for a long time in the hacker scene. Mostly, these
tools have been home-grown. In the recent year, several commercial fuzzing
tools appeared. These in turn are now utilized by organizations in the
development cycle under the moto of "fuzzing before release", or "find the
vulnerability before hackers do". Another interesting and somewhat
unexpected development in the field is that end-clients are the largest
consumers of advanced fuzzing technology, performing tests on software
before purchase. Further, some large telcos and financial institutions now
demand for products to be certified (even if not by an official seal) by
fuzzing products which they authorize.
Is fuzzing finally a solution to reduce vulnerabilities in products rather
than just later discover them? How is it used by these corporations and
third-party organizations? Some methodologies as well as examples will be
presented, and we will also try to look into what the future holds.
More information about the fuzzing