Skip to content
SodgeIT_Grey

How sodge IT accelerated their development process by implementing automated security tests in their CI/CD, and fixed critical vulnerabilities in their supply chain.


Industry
Software Development

Department
Development

Size
> 10 Employees

Location
Balingen, Germany

The Results

A Secure Software Supply Chain

 
The software company sodge IT, has high-security demands and thus invests a large amount of time in security testing. Especially open-source components often pose a security risk in their supply chain. For this reason, their developers had to regularly spend days and weeks to review these open-source components, which significantly slowed down the development process.

sodge IT was looking for a way to make their security testing more efficient and effective. Continuous fuzz testing helped them to speed up their development process and to make the open-source components in their supply chain more reliable and secure.

Fixed 3 CVEs in Critical Open-Source Component

sodge IT automated their security testing, by implementing the CI Fuzz testing platform into their CI/CD.  The automation helped them to instantly find and fix 3 new vulnerabilities in one of their open-source components (CVE-2020-9385 and CVE-2021-27799CVE-2021-39247).
 

Less False Positives

The automation also simplified sodge IT's testing processes. Their developers are now capable to test software with dynamic inputs, which helped them to significantly improved both the efficiency and effectiveness of their security testing. 

"We have always been searching for a better solution than our scripts to automate fuzzing in our Continuous Integration. Code Intelligence is a good solution with a very good integration in VS Code."

Götz Martinek
Managing Director // sodgeIT

Watch CI Fuzz Demo
götz martinek

The Challenge

Simplified Use of Advanced Fuzzing Practices

 
Early software testing is an essential procedure for application security, especially when it comes to open-source components in the supply chain. The developers struggle with the manual time-consuming approaches and complex tools, that are distressing to integrate.

Thus, sodge IT was highly concerned about the security and reliability of an open-source project that one of their customers wanted to use in an upcoming product. In order to test this library, sodgeIT thought about implementing feedback-based fuzzing as a dynamic testing method, but they faced two major challenges.  

Manual Effort

Open-source fuzzers like AFL or libFuzzer require advanced knowledge and involved a huge amount of manual effort. 
 

High Complexity

In the past, developers at sodge IT needed up to 3 weeks per project to get fuzzing tools like AFL or libFuzzer up and running for a project. But despite the immense workload required, sodge IT still wanted to benefit from automated security testing solutions without diverting resources from other high-profile projects. 

The Solution

The CI Fuzz Testing Platform

 
sodge IT solved most of their problems, by implemented the CI Fuzz testing platform into their CI/CD.  In the course of two hours, the developers got the project up and running with CI Fuzz. The automated security tests provided a powerful crash analysis, and reported bugs and vulnerabilities in a user-friendly dashboard. With CI fuzzing platform, sodge IT is now also capable to keep track of the code coverage.

Increased Automation

Being finally capable to quickly set up fuzz tests in the user interface, helped the developers to implement new tests considering all link-time and compile-time dependencies,  which significantly reduced the manual effort to a minimum.
 

Broad Application Testing

Developers at sodge IT are now able to apply automated pentests on each commit, which significantly improved the security of their software and their supply chain.
Screenshot of the CI Fuzz testing platform
Watch Demo

The Success

Fixed Critical Vulnerabilities In Open-Source Component

 

Within the very first minutes of testing, CI Fuzz managed to identify critical vulnerability in one of their critical open-source components (ZINT Barcode Generator). This testing platform automatically detected a stack buffer overwrite of up to 14 bytes.

When entering malicious inputs, provided in the bug report, it would in the best-case scenario cause a crash leading to a denial of service (DoS). If exploited properly this vulnerability can lead to more severe damage, for example, a remote code execution. At the end of the story, the finding was accepted as CVE-2020-9385 with the base score 7,5 (“high severity”).

Get Started With CI Fuzz

Contact our developers to uncover how the CI Fuzz testing platform can help you provide secure and reliable software.

 
Get Started