Over the last decade, there’s been an uptick in progressive Silicon Valley tech behemoths adopting an Application Security Testing technique called continuous fuzzing. While effective,  fuzzing largely remains a hidden secret to the larger developer and security communities. 

In an effort to demystify continuous fuzzing, ForAllSecure’s CEO Dr. David Brumley offered a technical overview of the technique via a webinar on February 11, 2020. In this webinar, Brumley shared more about this proven and accepted technique, and further details on how organizations new to fuzzing can get started.

Don’t have time to tune in? You’re in luck. A replay of the webinar is available here: https://www.brighttalk.com/webcast/17668/385891

 We’ve also synthesized the top 3 takeaways from the webinar:

Application Security Testing (AST) solutions must focus on helping both security and development.

It’s commonly believed that the purpose of Application Security Testing solutions is to help organizations release secure applications. Leading this charge is the security group, so, of course, it’s important that results from the AST tools are consumable by security teams. 

However, it’s important to bear in mind that AST tools are often used by the developers. Thus, these solutions must also be built with the developer productivity in mind. Developers are often measured by the number of lines of code written or the number of features built. The number of vulnerabilities, or lack thereof, speaks little to their productivity and the impact they’ve had in the latest release. What we’ve learned does resonate with developers, on the other hand, is how much code coverage the Application Security Testing tool had or how many new test cases the Application Security Testing tool generated to test their features. As organizations evaluate AST tools, they must bear in mind the pain they’re aiming to resolve, from both the developer and security analyst perspective.

What sets apart mature Application Security Testing (AST) programs from nascent AST programs is their continuity.

Many organizations see security as a “checkpoint” -- a process that is run and done. Brumley advocates that in order to outpace the attackers, security must be conducted continuously. 

Let’s dissect what Brumley means by “running a continuous check.” Often, Application Security Testing solutions come equipped with prebuilt test suites. These tools test the same areas of code with each run. New users will initially see tremendous ROI, uncovering many defects early on. However, as they run their test suite over and over again, they’ll eventually find less and less defects. It’s true; When organizations find less defects over time, it can mean their software is becoming increasingly secure. However, it can also mean that defects are becoming concentrated in untested code areas. Thus, it is advantageous to find a technique, such as guided-fuzzing or instrumented-fuzzing, that is able to take in feedback from a target and autonomously generate test cases on-the-fly, allowing the test suite to grow with the target. The longer the fuzzer runs, its test suite grows, generating test cases that reach deeper and deeper into the app for increasingly thorough testing. This approach allows organizations to continuously run testing in the background, even after release. When testing for the latest release and development for the upcoming release are done simultaneously, organizations are able to drive efficiency. This is what allows organizations to alter their software security trajectory.

A truly effective continuous testing solution cannot have false-positives and must uncover unknown vulnerabilities.

A truly effective continuous security testing solution must have two key capabilities:

• Zero false-positives: Zero false-positives prevent organizations from wasting time on validation. Although some vendors reassure prospects that their solutions have low false-positive rates, that small percentage eventually adds up, slowing not just security, but also development efforts. Scale and speed is key for maintaining continuity. 
• Unknown vulnerability detection: Application Security Testing solutions that only uncover known vulnerabilities force organizations into a reactive posture, only finding security issues that have already been discovered and publicly disclosed. In this approach, the organization is always playing “catch up.” As organizations aim to gain lead over their threat landscape, they must take a more proactive stance by also addressing unknown vulnerabilities within their applications.

What’s next?

Interested in getting started? Brumley proposes a series of questions for organizations to consider as they aim to find the right next-generation fuzzer for them. He also recommends a variety of solutions -- including both open source and commercial tools -- to help get continuous testing programs started. Tune in at the following link for more information: https://www.brighttalk.com/webcast/17668/385891