Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can OSS-Fuzz and other vulnerability scanners help developers?

Google's OSS-Fuzz is an open source vulnerability scanner. Expert Matthew Pascucci looks at how developers can take advantage of this tool and others like it.

Should developers take advantage of open source bug-finding tools, like Google's OSS-Fuzz? If so, how can they...

do that? What are some other useful tools that provide similar vulnerability scanning?

In December 2016, Google released its project, dubbed OSS-Fuzz, as an open source tool to fuzz applications for security and stability concerns. The tool doesn't scan every piece of open source software; in order to be accepted by OSS-Fuzz, an open source project must have a large following or be considered software that's critical to global infrastructure.

In the past year, the project has scanned 47 applications and has found over 1,000 vulnerabilities, with over a quarter of those being security vulnerabilities.

Developers running an open source project should definitely look to integrate into Google's project. The code of the fuzz target, or the code being fuzzed for vulnerabilities, should be part of the project's source code repository.

Developers also need to have seeds so that the fuzzing can be more efficient. Google recommends having a "minimal set of inputs that provides maximal code coverage." Developers also need to be aware of what's being fuzzed in their code, and the coverage of the fuzzers should be reviewed to validate that the application is being tested efficiently.

There are many open source tools available for developers to use within their coding practice, and a good start would be to review the Open Web Application Security Project (OWASP). This project was founded to create a third party that doesn't report to any particular vendor, and it creates best practices and security standards for developers to follow.

There are many open source tools used to help assist with finding vulnerabilities. OWASP also has experienced application security developers participating in the project to advance the state of application security. There are a few tools that OWASP has either developed or that it recommends, and you can find them on OWASP's website.

Another free tool to review from a vulnerability standpoint is Qualys's SSL Labs site. This site, powered by and developed by Qualys, shows the status of a website's SSL configuration. By entering a website's URL into the system, it performs an audit of the SSL configuration and reports back with a rating of the current site's SSL security. This isn't completely application based, but it plays a big part in securing the data in transit when accessing applications.

There are many vulnerability scanners, techniques and services that developers can use, and having vulnerability management as part of an application's secure development lifecycle is extremely important. The security of your applications is important, but creating a continuous monitoring program with vulnerability management is the most efficient and cost-saving option to secure your applications.

If you're not able to purchase tools or services to assist with vulnerability management, the OWASP project and tools like Google's OSS-Fuzz are good places to start for free. Security shouldn't always have to come with a big price tag.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Discover the secret to DevOps

Find the best vulnerability management tools for your needs

Learn what kind of vulnerability scanner tool is better for your data center

This was last published in August 2017

Dig Deeper on Open source security tools and software

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think about open source vulnerability scanners?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close