Stackarmour

Managing Vulnerabilities using Fuzz Testing or Fuzzing as part of SecDevOps

The number of cybersecurity related incidents keep increasing and software developers the world over are rapidly adopting DevOps to meet shorter and shorter delivery timelines. As software gets delivered faster and faster using DevOps automation, it is essential to ensure that advanced security testing be integrated into the CI/CD pipeline. We at stackArmor have integrated static code scanning using Yasca and Checkmarx; dynamic web testing using Tenable Nessus, Acunetix or HP Fortinet and verification using SonarQube and Jenkins amongst other tools. You can read more about our SecDevOps whitepaper and blog below.

However, as cyberattacks increase in volume and sophistication, it is essential to keep finding ways to minimize the vulnerability footprint. Fuzz testing or Fuzzing is an advanced security testing protocol for detecting unforeseen system vulnerabilities as a result of deliberate and malicious inputs designed to crash a system. Fuzz testing or Fuzzing is based on sending random inputs to a system and has been around for a long time, but in the face of renewed concerns of vulnerabilities on cloud-hosted SaaS and other systems there has been increasing adoption of fuzzing frameworks and testing techniques. Organizations developing software for compliance focused markets including healthcare, financial services and public sector organizations as well as SaaS solution providers should consider fuzz testing their solutions.

We at stackArmor have been supporting SaaS and ISV providers adopt and implement advanced security testing as part of the CI/CD pipeline and Fuzz testing is increasingly an essential component of such testing.

More About Fuzz Testing or Fuzzing and Vulnerability Scanning

Fuzz testing requires selecting a framework and exploits or tests that can be executed by the framework. A Fuzz testing framework or Fuzzer can be generation-based or mutation-based depending on the manner by which inputs are generated. If the inputs are generated from scratch then it is considered a generation based Fuzzer or if they are produced by modifying existing inputs then it is mutational. The Fuzz testing can be either white-box or black-box, depending on whether it is aware of program structure.

Common Fuzz Testing Scenarios and Use Cases including Mobile Applications and MicroServices

Organizations implementing cloud-based systems, mobile applications or API-based microservices based solutions must especially pay attention to Fuzz testing. There is a wide variety of commercial and open source Fuzz testing frameworks depending on the use case and security testing objectives. Amazon Web Services (AWS) provides native fuzz testing for mobile devices using the AWS Device Farm service. Given the rapid adoption of microservices, fuzzing is especially critical. The ability to exploit microservices related vulnerabilities can have a debilitating cascading effect given the snowballing nature of calls inside the backend and database structures. Netflix has documented a number of cases where microservices have been exploited and must be tested thoroughly. SoapUI by SmartBear provides a ready-made open source and commercial solution for fuzzing microservices.

Fuzz Testing Frameworks

Given the relative nascent rise of fuzz testing into the mainstream of commercial security testing, there is a wide variety of available solutions with varying capabilities and support.  Organizations implementing cloud-based systems, mobile applications or API-based microservices based solutions must especially pay attention to Fuzz testing. There is a wide variety of commercial and open source Fuzz testing frameworks. American fuzzy lop (AFL) employs genetic algorithms in order to efficiently increase coverage of test cases. Other popular and common Fuzz testing frameworks include Peach Fuzzer and Sulley’s Python based Fuzzing Framework amongst others. Sulley’s framework is relatively inactive and has a fork called Boofuzz which is more current. Another option is the Google OSS-Fuzz framework. Regardless of the framework, it is essential to ensure that an exploit or fuzz test be available for the workload that must be fuzzed.

For organizations seeking to develop and deploy resilient applications, fuzzing is definitely worth looking into as part of the Secure DevOps pipeline. Learn more about Secure DevOps.

Secure DevOps for FedRAMP Compliant Cloud