While fuzzing may sound like just another buzzword in the cybersec landscape, it has continued to gain popularity over the last several years and shows no signs of going away.
Development teams know that unless their developers all just came down from Mount Olympus, there are likely to be security holes in their applications – and they need tools that can be used by anyone to simulate real attacks.
So they turned to fuzz testing, or fuzzing – a new approach to security testing that gives users the ability to think like a hacker.
But is fuzzing a new tool? Yes and no.
With several popular fuzzers on the market, fuzzing may have become a buzzword in the AppSec and DevOps communities in recent years, but the concept is not new.
The term “fuzzing” has been widely used for the better part of three decades after getting its name from Barton Miller during a 1988 University of Wisconsin class project. However, the concept, originally known as random testing and monkey testing, has been around since at least the 1950s.
But what is fuzzing? And is it really random?
What is fuzz testing?
Simply put, fuzzing is a “black box testing” method in which the application is tested from the outside in – as in a hacker trying to break in without having access to the source code.
Today, fuzz testing refers to the automated process of uncovering software security bugs by feeding permutated inputs into a program and analyzing the results until one of those inputs uncovers a vulnerability. It is a black box testing and quality assurance (QA) technique that relies on inputting massive amounts of data called fuzz into a target software in a bid to crash it.
Fuzzing has been around for a while but has recently gained prominence as organizations are starting to understand the importance of thinking like a hacker in the fight against cyber attacks.
In your quest to discover zero day vulnerabilities, fuzz testing is one of the most effective processes you can engage in to improve your cybersecurity resilience. Developers are able to use fuzzing to create more secure code through testing during development and QA stages.
How does fuzz testing work?
Although it may seem that hackers spend a great deal of time studying different software or systems for security vulnerabilities, that isn’t always the case. They usually just poke around until they find a weakness to exploit. When this process of poking around is carefully recreated into a well defined testing process, it’s called fuzzing.
Fuzz testing works by poking into software, firmware, networks and even hardware, in an effort to uncover bugs that can be exploited by hackers. Specialized tools, called fuzzers, are used to detect these vulnerabilities as quickly as possible.
While other application security (appsec) testing tools focus on detecting known vulnerabilities, which requires access to source code, fuzzers rely on using as many inputs as possible to uncover new and unknown bugs. Fuzzers can function with or without access to the software’s source code.
Smart fuzzers and dumb fuzzers
While most fuzzers use strictly random inputs to probe software (i.e, dumb fuzzers), there is a new breed of fuzzers, smart fuzzers, that are programmed with some knowledge of inputs and file types required.
Rather than throw lots of random fuzz at software, smart fuzzers use algorithms to determine which attacks are most likely to succeed. Smart fuzzers can test all internet protocols, even complex ones such as SIP. And smart fuzzers test the binary application, and are therefore programming language independent. All of these capabilities mean smart fuzzers are more likely to find a vulnerability and in less time.
The 5 benefits of fuzzing
As hacker mentality continues to evolve, so too will the need for more effective security testing tools. If your organization is going to stay ahead of cyber criminals in today’s world, it will need a cybersecurity strategy that actively promotes fuzzing at every stage of the software development life cycle. Here are five benefits of adding fuzzing to your penetration testing toolbox.
A cost effective security test – The benefits-to-cost ratio of fuzz testing, when compared with other security testing techniques, makes it ideally suited for businesses on a budget. By allowing cost-conscious companies to discover software bugs exploitable by hackers, fuzzing delivers a cost effective security testing solution.
Guards against zero-day vulnerabilities – Zero-day vulnerabilities are the nightmares of every CISO. However, when executed successfully as part of your organization’s black box testing, fuzzing can effectively help you reduce the possibility of zero-day vulnerabilities.
Discovers coding errors at early stages of your SDLC – By incorporating fuzz testing in different stages of your software development life cycle (SDLC), you’re able to discover most coding errors during the development or quality assurance (QA) stages, which is much cheaper than discovering them in production.
Improves security testing results – While fuzz testing may not be a comprehensive security testing solution on its own, when deployed as part of your black box security testing strategy, it certainly enhances your security testing results.
Ensures that all potential security vulnerabilities are explored – The concept of fuzzing works in such a way that all potential loopholes are explored or tested, and unknown vulnerabilities are discovered.
How to choose a fuzzing tool
Different providers offer fuzzers with a wide range of features and capabilities. However, there are some essential features you should look for in a fuzzing tool.
Support for multiple protocols – With more than 250 fuzzers in the market, there’s a great deal of variation among them. While some fuzzers offer support for vendor and self developed protocols which can be extended, others may not. Fuzzers should support your existing protocols as well as future ones.
Speed – When it comes to detecting vulnerabilities, time is everything. A reliable fuzzer should be able to support load tests of as many attacks as possible per second. Whether it’s dumb fuzzing that requires random inputs or smart fuzzing that utilizes intelligent inputs, getting a fuzzer that can run as many test cases as possible per second is crucial to discovering your application security (appsec) vulnerabilities.
Code coverage – Code coverage refers to how much of a software’s code has been executed by a fuzzer. The more code covered the more thorough the test. However, just testing a lot of code is not the answer. Unless you know which parts of the source code are executed, you don’t really know how thorough the test is. Ideally you have a fuzzer that lets you know which sections of the source code have been tested.
Crash categorization – The role of fuzz testing does not end with discovering potential crashes. Once you find a crash, the next step will usually be to correct the code. However, with potentially hundreds of thousands of test cases being run per second, treating each crash on an individual basis is impossible. A fuzz tester that categorizes crashes will allow you to prioritize them and identify those with similar bugs for more efficient problem resolution.
The future of fuzz testing
As artificial intelligence (AI) and machine learning (ML) continue to evolve, their impact will eventually be felt in fuzz testing. The future will see more fuzzers integrate AI and ML in a bid to make the tools simpler to use and more intelligent. While this is generally a good idea, there are concerns that hackers will also find it easier to use these tools in discovering security weaknesses on a large scale. In addition, businesses will require faster and deeper tools that perform exhaustive tests in the shortest time frames.
The cybersecurity landscape is rapidly evolving and for businesses to stay ahead, proven solutions like fuzz testing have become a necessity. The financial and reputational costs of zero-day vulnerabilities can be devastating. CISOs must take proactive steps to discover these vulnerabilities ahead of hackers if their organizations are to survive these rapidly evolving times. And fuzz testing is one of the tools to make sure that happens.
Looking for a fuzzing or other application security testing methods? Contact us to schedule a free demo of our application security testing and vulnerability assessment solutions.