[fuzzing] Hey all

[Sergio 'shadown' Alvarez]

I forgot one thing:

I you are willing to certify something....certify the fuzzer as 
application, and that certification would be per protocol or file format.
If it covers the minimum prerequisites:
	- implement ALL the RFC or specs for a certain protocol of file format
	- and if it covers the minimum testes cases per each 'datatype' that 
builds that specific protocol/file format.

And then again you would be certifying that it covers the basics, the 
rest is just a matter of art/Intuition/whatever you wanna call it.

Have a nice day.

Cheers,
   Sergio


Sergio 'shadown' Alvarez wrote:
> Hi *,
> 
> Just to make the long story short.
> If you mean fuzzing as following an RFC implement the specs as they 
> should be and so, then that is the something similar to perform a decent 
> Unitesting or Algorithm/Function testing, that would be so easy that I 
> think a 'Certification' is waaaaay to much.
> Now, if you talk about fuzzing as it should be: Taking a target 
> application, combining reverse engineering to make your fuzzer cover all 
> the possible path-flows (not just code coverage) and instrument your 
> fuzzer to target specific areas. In that case fuzzing would be: 
> Fuzzing+Reverse Engineering+Runtime Analysis. To cover that the skills 
> level is waaay superior to the previous one.
> Then you get into the RE field...so please don't come with something 
> like, reverse engineering certifications....because it's so huge that 
> only very few guys are real authorities to talk about it.
> That said, fuzzing is JUST ONE PART of the whole 'application 
> pentesting/auditing', where proper skills level and creativity are needed.
> 
> So, no, I don't think fuzzing is certifiable, and I'm sure a lot of 
> people agree with me.
> 
> Cheers,
>   Sergio

-- 
Sergio 'shadown' Alvarez
Security Researcher
===============================
email: shadown at gmail.com
gpg  : F140 A2E4 1675 BDB6 9FE4
        F53A 7969 7104 75CD B86E