[fuzzing] Hey all

Ari Takanen ari.takanen at codenomicon.com
Sat Mar 15 03:56:23 CDT 2008 

Certification limits the usage and adoption through increasing quality
(of service or product), but it does not help in making fuzzing any
more widespread. The purpose of certifying a person conducting fuzzing
is just to guarrantee to the buyer that the guy who claims to do
fuzzing actually knows what he is doing.

But if anyone is really considering this, you should first carefully
think if you want to certify someone in "building fuzzers" as opposed
to "using fuzzers". As someone pointed out, building a fuzzer is
child's play. Building a _good_ fuzzer takes a bit more
effort. Knowing which fuzzer to use in each vulnerability assessment
also takes some skill in a wide variety of tools, and a lot of ethics
from the person so that he will not promote whatever enables him to
sell most hours to the poor customer (which is typically building the
same proprietary in-house fuzzers over and over again for each
customer).

Most certification processes have failed miserably because they (CA's)
think certification is a business, and not a service to the
end-user. Most certifications have no real value to anyone. But I do
think that something has to be done to the quality of consultants
conducting VA services (including fuzzing). Professional skills in
fuzzing today can be proven in many ways, and I am not sure
certification is the right way to go.

If I am reviewing a VA services company that claims to do fuzzing, I
check out which tools they can use, and how well they use them. If
they build custom one-off fuzzers, or only use one or two open source
fuzzers, I recommend our customers to stay away from them. 
Unfortunately there are very few good VA companies out there...

I would be happy to argue about the criterias on how to define the
profile for a good security analyst if you do not agree with me. ;)

/Ari

> From: eugaaa <eugaaa at gmail.com>
> 
> On the other hand, an official certification would mean widespread
> acceptance as it would instantaneously have become an industry standard.
> A distasteful but effective idea :<

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Tutkijantie 4E
tel: +358-40 50 67678             FI-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

More information about the fuzzing mailing list