Menu
 Industry

Software Development

 Department

Development

 Size

> 10 Employees

 Location

Balingen, Germany

The Results

A Secure Software Supply Chain

The software company sodge IT, has high-security demands and thus invests a large amount of time in security testing. Especially open-source components often pose a security risk in their supply chain. For this reason, their developers had to regularly spend days and weeks to review these open-source components, which significantly slowed down the development process.

sodge IT was looking for a way to make their security testing more efficient and effective. Continuous fuzz testing helped them to speed up their development process and to make the open-source components in their supply chain more reliable and secure. 

Fixed 3 CVEs in Critical Open-Source Component

  sodge IT automated their security testing, by implemented the CI Fuzz testing platform into their CI/CD.  The automation helped them to instantly find and fix 3 new vulnerabilities in one of their open-source components (CVE-2020-9385 and CVE-2021-27799CVE-2021-39247). 

Less False Positives

  The automation also simplified sodge IT's testing processes. Their developers are now capable to test software with dynamic inputs, which helped them to significantly improved both the efficiency and effectiveness of their security testing. 

3 CVEs found in ZINT
sodgeIT

"We have always been looking for a better solution than our scripts to automate fuzzing in our CI. CI Fuzz is a good solution with a very nice integration in VS Code."

götz martinek edit
Götz Martinek
Managing Director // sodgeIT
The Challenge

Simplified Use of Advanced Fuzzing Practices

Early software testing is an essential procedure for application security, especially when it comes to open-source components in the supply chain. The developers struggle with the manual time-consuming approaches and complex tools, that are distressing to integrate.

Thus, sodge IT was highly concerned about the security and reliability of an open-source project that one of their customers wanted to use in an upcoming product. In order to test this library, sodgeIT thought about implementing feedback-based fuzzing as a dynamic testing method, but they faced two major challenges. 

Manual Effort

 Open-source fuzzers like AFL or libFuzzer require advanced knowledge and involved a huge amount of manual effort. 

High Complexity

 In the past, developers at sodge IT needed up to 3 weeks per project to get fuzzing tools like AFL or libFuzzer up and running for a project.

But despite the immense workload required, sodge IT still wanted to benefit from automated security testing solutions without diverting resources from other high-profile projects. 

SOURCE_limitations_neu
The Solution

The CI Fuzz Testing Platform

sodge IT solved most of their problems, by implemented the CI Fuzz testing platform into their CI/CD.  In the course of two hours, the developers got the project up and running with CI Fuzz. The automated security tests provided a powerful crash analysis, and reported bugs and vulnerabilities in a user-friendly dashboard. With CI fuzzing platform, sodge IT is now also capable to keep track of the code coverage.

Increased Automation

  Being finally capable to quickly set up fuzz tests in the user interface, helped the developers to implement new tests considering all link-time and compile-time dependencies,  which significantly reduced the manual effort to a minimum.

Broad Application Testing

 Developers at sodge IT are now able to apply automated pentests on each commit, which significantly improved the security of their software and their supply chain. 

screenshot CI Fuzz
Watch CI Fuzz Demo
The Success

Fixed Critical Vulnerabilities In Open-Source Component

Within the very first minutes of testing, CI Fuzz managed to identify critical vulnerability in one of their critical open-source components (ZINT Barcode Generator). This testing platform automatically detected a stack buffer overwrite of up to 14 bytes.

When entering malicious inputs, provided in the bug report, it would in the best-case scenario cause a crash leading to a denial of service (DoS). If exploited properly this vulnerability can lead to more severe damage, for example, a remote code execution. At the end of the story, the finding was accepted as CVE-2020-9385 with the base score 7,5 (“high severity”).

Get Started With CI Fuzz

Deliver secure and reliable software along your entire supply chain.

Get Started