Fuzzing is a powerful tool that detects bugs in programs. Hackers regularly use fuzz testing to discover software vulnerabilities to build their attacks. However, companies can also use fuzzing to find and fix vulnerabilities and thus improve the security of their software. Since both attackers and defenders have access to powerful IT resources, fuzzing has become an essential tool in the “arms race” between hackers and security experts.
In recent years, feedback-based fuzzing has experienced an unmatched success story. For example, over 27,000 bugs have been found in Google Chrome and several open-source projects. This infographic gives a broad overview of what fuzzing actually is and why you should use it in the SDLC. If you want to learn more in detail about the underlying technology you should read the power of feedback-based fuzzing.
Advantages and Disadvantages of Fuzzing
Fuzzing can be very useful, but it is not a panacea. Here are some of the advantages and disadvantages of feedback-based fuzzing:
- Fuzzing is an almost completely automated testing technology that drastically reduces the manual effort for developers/testers.
- The test design of fuzzing is extremely simple and free of preconceptions about system behavior.
- Fuzzing finds bugs and vulnerabilities which are not detectable by other approaches (e.g. Unit tests). Check a list of some exemplary CVEs.
- Fuzzing virtually produces no false positives. If the fuzzer finds something, it is a confirmed problem and testers/developers are in need to take action.
- Once a fuzzer is up and running, it can search for bugs for hours, days, or months without further manual interaction.
- Several engines can test source code simultaneously, which makes fuzzing a highly scalable testing technology.
- Fuzzing provides an overall picture of the robustness of the tested software.
- Open-source fuzzing tools require a lot of manual effort in order to achieve efficient testing results
- The integration of fuzzing technologies into the development process requires expert knowledge in the field of IT security testing. The lack of security experts on the market makes it even more difficult for companies to meet security requirements by using feedback-based fuzzing.
Book a demo with one of our security experts and see fuzzing in action! We will walk you through the process and answer your questions.