Skip to content
Simon Resch2 min read

Continuous REST API Testing With CI Fuzz

CI Fuzz is a platform for automated security testing that aims to enable developers to ship secure software fast. The platform empowers development teams to automatically deploy continuous REST API security tests with each pull request. Since it enables the instrumentation of entire web service environments, CI Fuzz can create test inputs that are guided by code coverage. This enables it to uncover complex vulnerabilities and edge cases that other tools often overlook.

In the open-source project Jsoup, more than 19 bugs (CVE-2021-37714), including several DoS vulnerabilities were fixed thanks to CI Fuzz. The finding enabled users to avoid downtime by updating to the latest version of Jsoup


Check out the full recording


REST API Security for Enterprise

With a strong focus on usability and automation, the CI Fuzz platform enables you to run the majority of security tests yourself. One of the platform’s main benefits is that it enables you to integrate continuous security testing cycles early on in the development process. The platform can be configured to test the codebase with each pull request, or even at each code change.  

The Technology Behind CI Fuzz

The testing approach used by CI Fuzz is based on feedback-based fuzzing. Feedback-based fuzzing, also called coverage-guided fuzzing, is a dynamic testing method that uses information about the internal structure of a program to maximize the code coverage of test inputs. The fuzzer receives feedback about the structure and endpoints of your application, which it then uses to craft inputs that specifically test APIs.

Bug Detectors Protect Against Unexpected Edge Cases

With CI Fuzz you can apply intelligent bug detectors and security checks to identify bugs and security vulnerabilities. These features enable you to identify problematic edge cases and vulnerabilities that are often missed by static testing solutions.

Minimal Manual Configuration Thanks to Autofuzz Mode

Since CI Fuzz is a cloud-based application security testing platform, that is readily available online. All you need to do is follow the instruction manual to instrument your API endpoints precisely and start your first fuzzing runs. With the new autofuzz mode, you will be able to automatically generate test harnesses. 

CI Fuzz Runs In Your Development Environment

CI Fuzz is basically compatible with every IDE, Build System, and CI/CD pipeline. Integrating CI Fuzz into your infrastructure will enable you to test your codebase continuously, throughout the different stages of the software development life-cycle. 

Debug REST APIs With a Few Clicks

Since CI Fuzz uses a dynamic testing approach, it can provide stack traces that enable you to easily reconstruct crashes. After a bug is found, the CI Fuzz debugging feature takes you directly to the affected part of your REST API, where you can set up your IDE with a test case and start fixing the bug.

Debugging-and-No-false-positives (compressed)-2

Triage Bugs With Automated Bug Reporting

CI Fuzz automatically ranks security issues by their severity and presents them in a dashboard. There, you can keep track of code coverage, and bug findings and generate reports to share with your team. 

Maximize Code Coverage

CI Fuzz is a white-box testing approach that automatically measures and improves code coverage. This allows testers to efficiently close in on problematic inputs that could cause web applications to crash, or leak information. 

Coverage Reporting

Book a Demo With Our Security Experts

For deeper insights into our REST API fuzzing and CI Fuzz, book a demo with one of our security experts. We will walk you through the fuzzing process and answer your questions.

Book a Demo

Related Articles