Microsoft open-sourced its internally used fuzz testing tool for developers to harden the code and bake in application security early on in the software development lifecycle.
Microsoft released its open-sourceOpens a new window fuzz testing framework for Azure that the company uses for Â Windows and Microsoft Edge.Â Fuzz testing framework is a software testing method to identify and remove security flaws in a software development lifecycle (SDLC).Â
It generally involves feeding malformed/semi-malformed data into the application testing protocols. In this context, malformed data means impaired data, rather vast amounts of randomized data that can cause the application to malfunction or crash, potentially revealing any underlying bugs. It is a rigorous testing methodology in which data injection is automated.
Calling it â€˜useful but expensive’, Justin CampbellOpens a new window , Principal Security Software Engineering Lead, and Mike WalkerOpens a new window , Senior Director, Special Projects Management, Microsoft Security said with Project OneFuzz, Microsoft envisaged to mitigate the problems associated with fuzz testing. He explained in a blogOpens a new window , â€œTraditionally, fuzz testing has been a double-edged sword for developers: mandated by the software development lifecycle (SDLC), highly effective in finding actionable flaws, yet very complicated to harness, execute, and extract information from.â€
With Project OneFuzz, developers, and not security engineers will be able to perform fuzz testing and thereby detect and remediate vulnerabilities early on in the software development lifecycle.
The automated, open-source tool uses Google’s recently released LLVM compiler infrastructure projectOpens a new window to ingrain fuzz testing within the development process. â€œThese advances allow developers to create unit test binaries with a modern fuzzing lab compiled in: highly reliable test invocation, input generation, coverage, and error detection in a single executable,â€ wrote Microsoft.Â
And with 48% organizations pushing vulnerable code to production, the importance of automated testing techniques like fuzzing within the SDLC becomes abundantly clear. With Project OneFuzz developers can easily integrate these test binaries within the CI/CD pipeline of development and scale it to the cloud.
Project OneFuzz is compatible with Windows and Linux environments, and enables the following:
- Composable fuzzing workflows: Being an open source tool, developers/testers can onboard custom fuzzers, swap instrumentation, and optimize seed inputs
- Built-in ensemble fuzzing: Project OneFuzz supports ensemble fuzzing between different fuzzing technologies, and creates space for them to â€˜work as a team’
- On-demand live-debugging of found crashes: Enables ad-hoc or build system-derived live-debugging sessions for developers
- Crash reporting notification callbacks: In the event of a crash (meaning bugs were found), the tool notifies developers through Microsoft teams messages and Azure DevOps Work Items
The move is in line with the Redmond-based tech giant’s overarching goal to enable developers to easily and continuously fuzz test their code prior to release is core to our mission of empowerment. The global release of Project OneFuzz is intended to help harden the platforms and tools that power our daily work and personal lives and make the hacker’s job more difficult.Â Â