Manage Learn to apply best practices and optimize your operations.

Should fuzzing be part of the secure software development process?

Fuzzing, a common software-testing method, should not be your only vulnerability assessment technique. In this SearchSecurity.com Q&A, Michael Cobb reviews how passing a fuzz test does not always mean that a program is bug-free.

I've heard of a new technique called "fuzzing." Is fuzzing an effective way to find software vulnerabilities?

Fuzzing, or fuzz testing, isn't actually a new technique. It was developed back in 1989 at the University of Wisconsin-Madison by Professor Barton Miller. With today's focus on developing more secure software, fuzzing has become a more widely used and acknowledged code-testing method.

During the fuzzing process, a program is bombarded with random data, called fuzz. If the program fails to cope with any of this data and begins to crash, lock up, consume memory or produce uncontrolled errors, the developer knows that there is a flaw somewhere within the code. The flaw can then be located and rectified before the program is released or deployed, thus keeping a possible vulnerability out of the final release version. Fuzzing has been frequently used to uncover buffer overflows, which occur when the number of input characters exceeds the available buffer space.

Software programs have several input possibilities, like mice, keyboards and screen devices. Other inputs include calls from other programs or controllers embedded in the actual system. Fuzzing effectively finds bugs because the data entered into a program is random and therefore not constrained by any preconceptions about how the software should behave. When people test software themselves, they may make assumptions about how the software will be used, causing certain input permutations to be overlooked.

A thorough fuzz test uses a combination of valid test data and random fuzz data. The valid data prevents an application from rejecting the information before it can reach a defective piece of code.

You must be aware, though, that passing a fuzz test doesn't make a program bug-free. Fuzzing only allows the simulation of a random, limited sample of a program's behavior. The tests may only show that the software can handle exceptions without crashing. Also, fuzzing doesn't test for logical flaws that can be exploited.

A big advantage of fuzz testing is its cost effectiveness; the testing is usually automated and easy to set up. It is a useful testing method, but it should be used as one of several software-testing methods. Static analysis, peer review and secure coding methodologies should all be a part of any secure software development process.

More information:

  • Learn how fuzzing can deter VoIP protocol attacks.
  • In this "Hot Type" podcast, Gary McGraw explains how to find common software security bugs.
This was last published in May 2007

Dig Deeper on Risk assessments, metrics and frameworks

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.