Software Integrity Blog

Archive for the 'Fuzz Testing' Category

 

What is the state of fuzz testing in 2017?

In a new report, Synopsys examines new insights into areas of software development where further testing remains. By analyzing over 4.8 billion protocol-based tests, the Synopsys State of Fuzzing 2017 report qualifies the relative levels of maturity in terms of quality and security across more than 250 protocols found in industry verticals such as industrial control systems, medical, financial, government, and the Internet of Things (IoT). Check out the State of Fuzzing 2017 report to get all the findings.

Continue Reading...

Posted in Fuzz Testing | Comments Off on What is the state of fuzz testing in 2017?

 

Fault Injection Podcast: Where the zero days are

Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about the value of fuzz testing and the findings from a new report from Synopsys on the State of Fuzzing 2017.

Continue Reading...

Posted in Fuzz Testing, General | Comments Off on Fault Injection Podcast: Where the zero days are

 

Black Hat USA and DEF CON 2017: And that’s a wrap!

Another week of InfoSec in the desert is history. Black Hat USA started as the Black Hat Briefings in 1997, and has remained mostly corporate. It grew out of the hacker-friendly environment of DEF CON which started as a going away party for a friend of the founder, Jeff Moss, in 1993. Together, the two conference represent the largest annual gathering of InfoSec experts in the world.

Continue Reading...

Posted in Fuzz Testing, General, Internet of Things | Comments Off on Black Hat USA and DEF CON 2017: And that’s a wrap!

 

Zeroing in on zero day vulnerabilities

Earlier this month WikiLeaks announced it had in its possession a cache of zero days allegedly from the Central Intelligence Agency. These unpatched vulnerabilities, it said, could affect Apple and Android devices (including TVs). It is suspected that exploitation of these vulnerabilities could allow the spy agency – or anyone else who knows about them — to surveil targets by activating microphones and receivers as well as eavesdropping on communications.

Continue Reading...

Posted in Fuzz Testing, Static Analysis (SAST) | Comments Off on Zeroing in on zero day vulnerabilities

 

With comparisons to Heartbleed, Cloudbleed may affect millions

A researcher from Google disclosed on Thursday that private messages, API keys, and other sensitive data were being leaked by a major content delivery network to random requesters, a leakage that could affect up to 5.5 million websites.

Continue Reading...

Posted in Cloud Security, Fuzz Testing, Software Architecture and Design | Comments Off on With comparisons to Heartbleed, Cloudbleed may affect millions

 

Bug elimination: Code scanning, fuzzing, and composition analysis

When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds a Ph.D. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, Black Hat, ToorCon, GrrCON, and HITB. He is currently the co-founder of VDA Labs.

Continue Reading...

Posted in Fuzz Testing, Software Composition Analysis, Static Analysis (SAST), Web Application Security | Comments Off on Bug elimination: Code scanning, fuzzing, and composition analysis

 

Ticketbleed: The next black swan

Last week a researcher disclosed a software vulnerability in a feature of the TLS/SSL stack that allowed a remote attacker to extract sensitive information. Sound familiar? In 2014, the Heartbleed vulnerability in the OpenSSL implementation of the heartbeat function in SSL affected some 600,000 websites worldwide and risked exposing passwords and other private keys. Ticketbleed, announced last Wednesday, has some similarity, but, at the end of the day, is no Heartbleed.

Continue Reading...

Posted in Fuzz Testing, Software Composition Analysis | Comments Off on Ticketbleed: The next black swan

 

Synopsys finds Bluetooth memory vulnerability in macOS/OS X

On Tuesday, researchers at Synopsys were credited in an Apple Update with finding a Bluetooth memory vulnerability in its operating system.

Continue Reading...

Posted in Fuzz Testing, Software Architecture and Design | Comments Off on Synopsys finds Bluetooth memory vulnerability in macOS/OS X

 

New study finds static analysis and fuzz testing from Synopsys can save millions in remediation costs

By integrating testing early in the software development lifecycle, organizations may realize a high ROI.

Continue Reading...

Posted in Fuzz Testing, Static Analysis (SAST) | Comments Off on New study finds static analysis and fuzz testing from Synopsys can save millions in remediation costs

 

Podcast: Billy Rios on the good and the bad of Heartbleed, Part 1

Two years after its disclosure, the vulnerability in OpenSSL known as Heartbleed remains significant. There are valuable lessons still to be learned both about how the vulnerability was initially discovered and how the security community has responded over time.

Continue Reading...

Posted in Fuzz Testing, Internet of Things, Open Source Security | Comments Off on Podcast: Billy Rios on the good and the bad of Heartbleed, Part 1