Posted by Robert Vamosi on February 23, 2017
When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds his Phd. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, BlackHat, ToorCon, GrrCon, and HITB. He is currently the co-founder of VDA Labs.
This three-part tutorial, produced by Synopsys, is loosely based on a training course that Dr. DeMott gave at Black Hat USA in 2016. The five videos in total serve as a great introduction to the software testing concepts of static code analysis, fuzz testing, and software composition analysis. Without going into too much detail, Dr. DeMott describes each form of testing, gives some examples, and then sums up the return on investment for having used each.
In this short introduction, Dr. DeMott gives a high-level overview of why an organization would benefit from using software testing. He talks about how security testing is a journey and not a destination. How it is a culture, the people involved, and the technology to execute it. And how all this requires more integration into the Software Development Lifecycle (SDLC) and how automation can smooth the process.
In the first segment, Dr. DeMott defines what is static code analysis. Briefly this is a line by line examination of source code. He shows where static code analysis fits in software development. He also discusses static code analysis techniques such as pattern matching, procedural, data flow analysis, and statistical analysis.
In this second segment, Dr. DeMott defines what is fuzz testing and explains how it fits into the world of SDLC. Briefly, Fuzz testing sends malformed input into a running program and observes what happens. Fuzz testing has been said to be a technique for finding unknown unknowns. Perhaps the best example of fuzz testing is the discovery of the Heartbleed OpenSSL vulnerability in 2014. Dr. DeMott discusses specific fuzz testing techniques such as mutation, generation, directed, and feedback. He also talks about how the regular use of fuzz testing can save your organization money.
In the third segment, Dr. DeMott discusses software composition analysis and how it fits into the SDLC. Examples include knowing what components and licensing agreements reside within your cybersecurity supply chain. He discusses specific software composition analysis techniques. He also discusses how and why composition analysis can save an organization money.
In this short conclusion, Dr. DeMott recaps the major points. He talks about how static code analysis can raise the bar on code quality and security. How fuzz testing allows an organization to explore its attack surface before attackers do. And how software composition analysis helps organizations understand component risks for their deployed software.