News Stay informed about the latest enterprise technology news and product updates.

Fuzzy Duck? Google OSS-Fuzz creates positive buzz for Black Duck security fuzz

Google is making news this week in developer circles. The search giant has come forward with a software fuzzing tool designed to fuzz open source code.

What is fuzz (testing)?

Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by inputting massive amounts of random data (called fuzz) to the system in an attempt to make it crash.

If a vulnerability is found, a tool called a fuzz tester (or fuzzer), indicates potential causes.

So then, the beta status Google OSS-Fuzz goal is to make common software infrastructure more secure and stable by combining modern fuzzing techniques with scalable distributed execution.

According to Google, Recent security stories confirm that errors like buffer overflow and use-after-free can have serious, widespread consequences when they occur in critical open source software. These errors are not only serious, but notoriously difficult to find via routine code audits, even for experienced developers.”

That’s where fuzz testing comes in. By generating random inputs to a given program, fuzzing triggers and helps uncover errors quickly and thoroughly.

OSS-Fuzz combines various fuzzing engines (initially, libFuzzer) with Sanitizers (initially, AddressSanitizer) and provides a massive distributed execution environment powered by ClusterFuzz.

Black Duck on Fuzz

The open source security team at experts Black Duck had plenty to say on Google’s news and contacted Computer Weekly’s Open Source Insider blog to make the following comments…

“OSS-Fuzz is a great new resource for the open source community to improve the quality of components and identify vulnerabilities very early. One outcome of this effort will be to increase user confidence in both open source software development as well as with specific components.”

“OSS-Fuzz potentially could become an essential tool for all open source projects during their development cycles, but will also increase the need for robust management systems. Many (Google) eyes will undoubtedly detect new vulnerabilities in older applications, which will flood the OSS community with new known risks to overcome.”

“Vulnerability reporting is a crucial component of any open source risk management to determine if any component used in the development of a product has disclosed vulnerabilities; even long after the product is released. Open source “consumers” will still need to be vigilant and take ownership of open source vulnerability management for their applications since there are millions of open source components and only a small portion of them will be tested with OSS-Fuzz.”

 

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

  • Passive Python Network Mapping

    In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against ...

  • Protecting Patient Information

    In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data ...

  • Mobile Security and Privacy

    In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity ...

SearchNetworking

SearchDataCenter

SearchDataManagement

Close