Secure Coding mailing list archives
Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis
From: ken at krvw.com (Kenneth Van Wyk)
Date: Tue, 27 Feb 2007 09:09:48 -0500
On Feb 27, 2007, at 4:54 AM, Michael Silk wrote:
unconvinced of what? what fuzzing is useful? or that it's the best security testing method ever? or you remain unconvinced that fuzzing in web apps is > fuzzing in os apps? fuzzing has obvious advantages. that's all anyone should care about.
No, not that it's useful or not. As I said in my other reply, my real wariness is of the "one size fits all" product solutions. It seems to me that the best fuzzing tools are in fact frameworks for building customized fuzzing tests. OWASP's jbrofuzz (in beta release currently) is an example of what I mean here. It gives the tester the means for identifying fields to fuzz and how to fuzz them (say, integer size testing), and then you press the fuzz button and it generates all the tests. That's useful, meaningful, and valuable, IMHO. But it's not a "fire and forget" general purpose tool that can test any web app. Beyond that, to me it's an issue of coverage. As was any uninformed testing, it's bound to miss things, which is to be expected. (E.g., a state tree that contains a format string vulnerability that doesn't execute because the testing never triggered that particular state -- hence my comments about test coverage/state earlier.) So, my impression is that fuzzing is useful (in Howard/Lipner's SDL book, they say that some 25% of the bugs they find during testing come out during fuzzing), but that it should only be a small, say 10-20%, part of a testing regimen. Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20070227/af0f7df5/attachment.bin
Current thread:
- Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis Kenneth Van Wyk (Feb 27)
- Message not available
- Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis Kenneth Van Wyk (Feb 27)
- Message not available
- Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis Michael Silk (Feb 27)
- Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis Kenneth Van Wyk (Feb 27)
- Dark Reading - Desktop Security - Here Comes the (Web) Fuzz- Security News Analysis J. M. Seitz (Feb 27)