Wednesday, August 16, 2017

How can OSS-Fuzz and other vulnerability scanners help developers?

In December 2016, Google released its project, dubbed OSS-Fuzz, as an open source tool to fuzz applications for security and stability concerns. The tool doesn't scan every piece of open source software; in order to be accepted by OSS-Fuzz, an open source project must have a large following or be considered software that's critical to global infrastructure.

In the past year, the project has scanned 47 applications and has found over 1,000 vulnerabilities, with over a quarter of those being security vulnerabilities.

Developers running an open source project should definitely look to integrate into Google's project. The code of the fuzz target, or the code being fuzzed for vulnerabilities, should be part of the project's source code repository.

Developers also need to have seeds so that the fuzzing can be more efficient. Google recommends having a "minimal set of inputs that provides maximal code coverage." Developers also need to be aware of what's being fuzzed in their code, and the coverage of the fuzzers should be reviewed to validate that the application is being tested efficiently. Read the rest of my article at the link below:

http://searchsecurity.techtarget.com/answer/How-can-OSS-Fuzz-and-other-vulnerability-scanners-help-developers

No comments:

Post a Comment