Re: Some Sums

[Jared DeMott <demottja () msu edu>]

Steven M. Christey wrote:
> Tom Ptacek said:
>
>   
> > 2. A lot of people are "finding" things simply by being the first to
> > aim someone else's fuzzer at them. I'm not sure what this implies, but
> > it implies something.
> >     
>
> And/or, maybe fewer people are using fuzzers than assumed - I'd be
> interested in hearing what the fuzzer people think.
>
>   
A few of things off the top of my head:

First of all some fuzzers cost (a lot of) money.  So free lance
researchers and/or small research companies aren't going to buy them. 
Same would be true for small software companies.  I wonder if a small
software company outsources their testing, and the company doing the
testing owns expensive fuzzers, would that be a way to drive down total
cost of ownership?

Secondly, many researchers like to build and use their own fuzzers
because it's assumed that other people are, or will soon, use the for
pay/public fuzzers.  If the assumption holds true the shelf life of
potentially discovered bugs will decrease.  This is bad for many
reasons, mostly because if you simply use someone else's fuzzer the bulk
of your costs will be time to develop bugs discovered.  It's a shame for
that work to go down the drain.  But if it helps you find stuff quicker
without the costs of building your own fuzzer ... I'll let someone else
argue both sides.  Just bring up possible considerations. :)  And of
course this assumption doesn't hold water for software companies, that
ought to be doing their own testing.

Lastly, as Dave pointed out a few posts ago, building != buying !=
using.  Correctly using is half (or some arguable portion) the battle. 
I can't imagine a day when even the best testing or security research
tools are, "click the big green go button for instant perfect results".


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave