Menu

What is Fuzzing? [Infographic]

published 2020-05-27, written by Jonathan Reimer

Fuzzing is a powerful tool that finds bugs in programs. Hackers regularly use fuzzing to discover software vulnerabilities to build their attacks. However, companies can also use fuzzing to find and fix vulnerabilities and thus improve the security of their software. Since both attackers and defenders have access to powerful IT resources, fuzzing has become an essential tool in the “arms race” between hackers and security experts.

In recent years, feedback-based fuzzing has experienced an unmatched success story. For example, over 27,000 bugs have been found in Google Chrome and several open-source projects. This infographic gives a broad overview of what fuzzing actually is and why you should use it in the SDLC. If you want to learn more in detail about the underlying technology you should read The Magic of Feedback-based Fuzzing.

 

CI_Infographic_fuzzing

Download Infographic (PDF)

 

Advantages and Disadvantages of Fuzzing

Fuzzing can be very useful but it is not a panacea. Here are some of the advantages and disadvantages of feedback-based fuzzing:

Advantages

  • Fuzzing is an almost completely automated testing technology that drastically reduces the manual effort for developers/testers.
  • The test design of fuzzing is extremely simple and free of preconceptions about system behavior.
  • Fuzzing finds bugs and vulnerabilities which are not detectable by other approaches (e.g. Unit tests). You can find a list of some exemplary CVEs here.
  • Fuzzing virtually produces no false positives. If the fuzzer finds something, it is a confirmed problem and testers/developers are in need to take action.
  • Once a fuzzer is up and running, it can search for bugs for hours, days, or months without further manual interaction.
  • Several engines can test source code simultaneously, which makes fuzzing a highly scalable testing technology.
  • Fuzzing provides an overall picture of the robustness of the tested software.

 

Disadvantages

  • Open-source fuzzing tools require a lot of manual effort in order to achieve efficient testing results
  • The integration of fuzzing technologies into the development process requires expert knowledge in the field of IT security testing. The lack of security experts on the market makes it even more difficult for companies to meet security requirements by using feedback-based fuzzing.

 

Did you already try to set-up fuzzing for your project? Leave us a comment.