Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis

[ken at krvw.com (Kenneth Van Wyk)]

On Feb 27, 2007, at 4:54 AM, Michael Silk wrote:
> unconvinced of what? what fuzzing is useful? or that it's the best
> security testing method ever? or you remain unconvinced that fuzzing
> in web apps is > fuzzing in os apps?
>
> fuzzing has obvious advantages. that's all anyone should care about.

No, not that it's useful or not.  As I said in my other reply, my  
real wariness is of the "one size fits all" product solutions.  It  
seems to me that the best fuzzing tools are in fact frameworks for  
building customized fuzzing tests.  OWASP's jbrofuzz (in beta release  
currently) is an example of what I mean here.  It gives the tester  
the means for identifying fields to fuzz and how to fuzz them (say,  
integer size testing), and then you press the fuzz button and it  
generates all the tests.  That's useful, meaningful, and valuable,  
IMHO.  But it's not a "fire and forget" general purpose tool that can  
test any web app.

Beyond that, to me it's an issue of coverage.  As was any uninformed  
testing, it's bound to miss things, which is to be expected.  (E.g.,  
a state tree that contains a format string vulnerability that doesn't  
execute because the testing never triggered that particular state --  
hence my comments about test coverage/state earlier.)

So, my impression is that fuzzing is useful (in Howard/Lipner's SDL  
book, they say that some 25% of the bugs they find during testing  
come out during fuzzing), but that it should only be a small, say  
10-20%, part of a testing regimen.

Cheers,

Ken
-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com




-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://krvw.com/pipermail/sc-l/attachments/20070227/af0f7df5/attachment.bin