If you or your team are working on projects in Java or C/C++, then I have great news for you: The closed-beta for our Fuzzing as a Service (FaaS) platform is now available. This brand-new, cloud-based fuzzing approach allows you to perform automated fuzz tests that are perfectly tailored to your individual CI/CD pipeline. You can apply for free access below. But first, let’s have a look at what this bug-killer can do…
If you are familiar with the field of secure software development, you probably noticed that fuzzing has gained quite a lot of popularity over the past couple of years - although this is nothing new: fuzz tests that generate random inputs with the aim of failing a program have been around since the 80s.
Modern or “feedback-based” fuzzing however sets itself apart from this outdated method, as it instruments the code to gather information from it, which is then used to construct new inputs that achieve more code coverage and thus discover more bugs.
What makes feedback-based fuzzing so attractive, is that it outperforms traditional testing methods such as Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST) in terms of accuracy, while requiring less manual effort. If any of this is news to you, or you simply want to refresh your knowledge, you can do so here.
The purpose of our FaaS platform is to make fuzzing usable, so that the benefits of this method are no longer reserved to experts and tech giants such as Google and Microsoft. The closed-beta will give you the opportunity to be an early-adopter of this innovation... For free!
Our Fuzzing as a Service platform offers an automated testing integration that allows for continuous API and network fuzzing. The beta includes a plugin for VS Code which allows you to set up your fuzzer locally.
Once you have everything installed, you can start committing the fuzz tests and the source code into your GitHub/GitLab repository. Pushing the code will then automatically trigger the fuzzing pipeline for continuous integration. All fuzzing runs and findings can be accessed by the user through the CI Fuzz web app.
The CI Fuzz beta is widely applicable with libraries/network services that support C/C++ as well as Spring (Boot) web applications running in containerized units. Nevertheless, there are a couple of requirements that have to be met:
As mentioned above, to be tested with the CI Fuzz, software must be hosted on GitHub or GitLab. For projects in C++, the code must be compiled with Clang. The beta only runs on C++ for Linux in both x86 and x64. In the Java environment, the beta is compatible with all projects developed in the Spring (Boot) framework as well as projects that are equipped with an OpenAPI definition.
If the software under test is connected to a database, the testing platform will require access to the network communication with the whitelisted hosts. Furthermore, the free beta comes with CPU restrictions.
A full roll-out of our FaaS solution is planned for January 2021 and it will be entirely free for all open source projects. For commercial use, there will be different pay-per-use packages tailored to the specific needs of your company. More information on the full version will follow very soon.
You are working with C++ or Java in GitHub or GitLab? Just apply for the closed-beta of CI Fuzz, get early access and improve your software.
Please note that free access to our beta is reserved for startups and open-source projects. For other use cases or requirements, feel free to contact us directly, so that we can find a solution that fits your individual needs.