sodge IT accelerated their development process by implementing automated security tests in their CI/CD, and fixed critical vulnerabilities in their supply chain.
Industry
Software Development
Department
Development
Size
> 10 Employees
Location
Balingen, Germany
The Results
A Secure Software Supply Chain
The software company sodge IT, has high-security demands and thus invests a large amount of time in security testing. Especially open-source components often pose a security risk in their supply chain. For this reason, their developers had to regularly spend days and weeks to review these open-source components, which significantly slowed down the development process.
sodge IT was looking for a way to make their security testing more efficient and effective. Continuous fuzz testing helped them to speed up their development process and to make the open-source components in their supply chain more reliable and secure.
Fixed 3 CVEs in Critical Open-Source Component
sodge IT automated their security testing, by implemented the CI Fuzz testing platform into their CI/CD. The automation helped them to instantly find and fix 3 new vulnerabilities in one of their open-source components (CVE-2020-9385 and CVE-2021-27799, CVE-2021-39247).
Less False Positives
The automation also simplified sodge IT's testing processes. Their developers are now capable to test software with dynamic inputs, which helped them to significantly improved both the efficiency and effectiveness of their security testing.
"We have always been looking for a better solution than our scripts to automate fuzzing in our CI. CI Fuzz is a good solution with a very nice integration in VS Code."
Götz Martinek
Managing Director // sodgeIT
The Challenge
Simplified Use of Advanced Fuzzing Practices
Early software testing is an essential procedure for application security, especially when it comes to open-source components in the supply chain. The developers struggle with the manual time-consuming approaches and complex tools, that are distressing to integrate.
Thus, sodge ITwas highly concerned about the security and reliability ofan open-source projectthat one oftheir customerswanted to use in an upcoming product. In order to test this library, sodgeIT thought about implementing feedback-based fuzzing as a dynamic testing method, but they faced two major challenges.
Manual Effort
Open-source fuzzers like AFL or libFuzzer require advanced knowledge and involved a huge amount of manual effort.
High Complexity
In the past, developers at sodge IT needed up to 3 weeks per project to get fuzzing tools like AFL or libFuzzer up and running for a project.
But despite the immense workload required,sodge IT still wanted to benefit from automated security testing solutions without diverting resources from other high-profile projects.
The Solution
The CI Fuzz Testing Platform
sodge IT solved most of their problems, by implemented the CI Fuzz testing platform into their CI/CD. In the course of two hours, the developers got the project up and running with CI Fuzz. The automated security tests provided a powerful crash analysis, and reported bugs and vulnerabilities in a user-friendly dashboard. With CI fuzzing platform, sodge IT is now also capable to keep track of the code coverage.
Increased Automation
Being finally capable to quickly set up fuzz tests in the user interface, helped the developers to implement new tests considering all link-time and compile-time dependencies, which significantly reduced the manual effort to a minimum.
Broad Application Testing
Developers at sodge IT are now able to apply automated pentests on each commit, which significantly improved the security of their software and their supply chain.
The Success
Fixed Critical Vulnerabilities In Open-Source Component
Within the very first minutes of testing, CI Fuzz managed to identify a critical vulnerability in one of their critical open-source components (ZINT Barcode Generator). This testing platform automatically detected a stack buffer overwrite of up to 14 bytes.
When entering malicious inputs, provided in the bug report, it would in the best-case scenario cause a crash leading to a denial of service (DoS). If exploited properly this vulnerability can lead to more severe damage, for example, a remote code execution. At the end of the story, the finding was accepted as CVE-2020-9385 with the base score 7,5 (“high severity”).
Get Started With CI Fuzz
Deliver secure and reliable software along your entire supply chain.
/250x250/SOURCE_Smart%20Bug%20Detection.png "3 CVEs found in ZINT")
/250x250/SOURCE_limitations_neu.png "SOURCE_limitations_neu")
