sodge IT Success Story
sodge IT accelerated their development process by implementing automated security tests in their CI/CD, and fixed critical vulnerabilities in their supply chain.
> 10 Employees
The software company sodge IT, has high-security demands and thus invests a large amount of time in security testing. Especially open-source components often pose a security risk in their supply chain. For this reason, their developers had to regularly spend days and weeks to review these open-source components, which significantly slowed down the development process.
sodge IT was looking for a way to make their security testing more efficient and effective. Continuous fuzz testing helped them to speed up their development process and to make the open-source components in their supply chain more reliable and secure.
sodge IT automated their security testing, by implementing the CI Fuzz testing platform into their CI/CD. The automation helped them to instantly find and fix 3 new vulnerabilities in one of their open-source components (CVE-2020-9385 and CVE-2021-27799, CVE-2021-39247).
The automation also simplified sodge IT's testing processes. Their developers are now capable to test software with dynamic inputs, which helped them to significantly improved both the efficiency and effectiveness of their security testing.
"We have always been searching for a better solution than our scripts to automate fuzzing in our CI. CI Fuzz is a good solution with a very good integration in VS Code."
Early software testing is an essential procedure for application security, especially when it comes to open-source components in the supply chain. The developers struggle with the manual time-consuming approaches and complex tools, that are distressing to integrate.
Thus, sodge IT was highly concerned about the security and reliability of an open-source project that one of their customers wanted to use in an upcoming product. In order to test this library, sodgeIT thought about implementing feedback-based fuzzing as a dynamic testing method, but they faced two major challenges.
In the past, developers at sodge IT needed up to 3 weeks per project to get fuzzing tools like AFL or libFuzzer up and running for a project.
But despite the immense workload required, sodge IT still wanted to benefit from automated security testing solutions without diverting resources from other high-profile projects.
sodge IT solved most of their problems, by implemented the CI Fuzz testing platform into their CI/CD. In the course of two hours, the developers got the project up and running with CI Fuzz. The automated security tests provided a powerful crash analysis, and reported bugs and vulnerabilities in a user-friendly dashboard. With CI fuzzing platform, sodge IT is now also capable to keep track of the code coverage.
Being finally capable to quickly set up fuzz tests in the user interface, helped the developers to implement new tests considering all link-time and compile-time dependencies, which significantly reduced the manual effort to a minimum.
Developers at sodge IT are now able to apply automated pentests on each commit, which significantly improved the security of their software and their supply chain.
Within the very first minutes of testing, CI Fuzz managed to identify a critical vulnerability in one of their critical open-source components (ZINT Barcode Generator). This testing platform automatically detected a stack buffer overwrite of up to 14 bytes.
When entering malicious inputs, provided in the bug report, it would in the best-case scenario cause a crash leading to a denial of service (DoS). If exploited properly this vulnerability can lead to more severe damage, for example, a remote code execution. At the end of the story, the finding was accepted as CVE-2020-9385 with the base score 7,5 (“high severity”).