[fuzzing] Hey all
Dave Sanford
dsanford at austin.rr.com
Sat Mar 15 08:16:58 CDT 2008
Ari Takanen wrote:
> If I am reviewing a VA services company that claims to do
> fuzzing, I check out which tools they can use, and how well
> they use them. If they build custom one-off fuzzers, or only
> use one or two open source fuzzers, I recommend our customers
> to stay away from them.
I'm a lurker and have never built a fuzzer, but I have proposed
that my primary client add fuzz testing to their development
process. Let's say an internal organization is going to evaluate
their own professionalism or they are looking for a vulnerability
assessment services company that is providing a fuzzer based service.
I think that I would only target the input functions of software
that was written by the end client, and not try to fuzz test
widely used COTS software.
What would professionalism look like in this context?
More information about the fuzzing
mailing list