Fuzzing as a Service

Fuzzing: A Dynamic Software Anaysis Technique

A Dynamic Software Anaysis Technique Fuzzing is the premier dynamic software analysis technique for automated bug discovery. We have significant experience in this field and provide the DoD with expert guidance on Fuzzer development and testing. We are Subject Matter Experts in Fuzzing with experience spanning many different fuzzers and fuzzing strategies. Fuzzing generates many thousands of test inputs per second to a software application and responds to feedback from the application runs to generate more and more interesting inputs to explore the full program state space to find exploitable software faults.

Why should I do Fuzz Testing?
  • Fuzzing is the fastest way to find bugs with the least amount of developer hours.
  • Developers already spend 30-40% of their time on testing, not counting debugging/bug fixes.
  • Fuzz testing can quickly discover bugs which no developer would think to write a test for by providing thousands of semi-valid inputs per second to an application.
  • Properly done, fuzzing results will deduplicate crashes such that work will not be repeated exploring a bug which has already been patched.
  • Cyber threat actors are fuzzing your code, beat them to the patch before they can deploy their exploits instead of playing catch-up.
What does fuzzing look like for my Software Development Cycle?
  • Submit your source code or binaries to our team for analysis.
  • We generate harnesses and sample input corpora to test your software with input from developers.
  • We run our state-of-the-art fuzzers on your source code and provide a minimal and complete set of crashes which our fuzzers can detect.
  • Crashes include
    • crash reports
    • sample inputs to trigger the crash
    • (if we have the source) human readable analysis of root cause
    • we may also provide severity scores based on our crash analysis
  • We can also provide a minimal and complete set of unique passing inputs generated to run as regression tests on future versions of the software.
  • Once you patch the code, you can resubmit for patch analysis through crash exploration.
  • We will iterate the cycle until you have working patches.
Fuzzing is not a replacement for Test Driven Development, Unit Testing, static analysis or any other techniques you may already be employing to deliver quality software but it does add a robust layer to your Defense-in-Depth strategy for creating secure software solutions.