Software Integrity Blog

Archive for the 'Fuzz Testing' Category

 

Synopsys finds 3 Linux kernel vulnerabilities

In a recent open source hackathon, we found three Linux kernel vulnerabilities: CVE-2017-7645, CVE-2017-7895, and CVE-2017-8797. Here’s how we found them.

Continue Reading...

Posted in Fuzz Testing, Open Source Security | Comments Off on Synopsys finds 3 Linux kernel vulnerabilities

 

What is the state of fuzz testing in 2017?

In a new report, Synopsys examines new insights into areas of software development where further testing remains. By analyzing over 4.8 billion protocol-based tests, the Synopsys State of Fuzzing 2017 report qualifies the relative levels of maturity in terms of quality and security across more than 250 protocols found in industry verticals such as industrial control systems, medical, financial, government, and the Internet of Things (IoT). Check out the State of Fuzzing 2017 report to get all the findings.

Continue Reading...

Posted in Fuzz Testing | Comments Off on What is the state of fuzz testing in 2017?

 

Fault Injection Podcast: Where the zero days are

Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about the value of fuzz testing and the findings from a new report from Synopsys on the State of Fuzzing 2017.

Continue Reading...

Posted in Fuzz Testing | Comments Off on Fault Injection Podcast: Where the zero days are

 

Zeroing in on zero day vulnerabilities

Earlier this month WikiLeaks announced it had in its possession a cache of zero days allegedly from the Central Intelligence Agency. These unpatched vulnerabilities, it said, could affect Apple and Android devices (including TVs). It is suspected that exploitation of these vulnerabilities could allow the spy agency – or anyone else who knows about them — to surveil targets by activating microphones and receivers as well as eavesdropping on communications.

Continue Reading...

Posted in Fuzz Testing, Static Analysis (SAST) | Comments Off on Zeroing in on zero day vulnerabilities

 

With comparisons to Heartbleed, Cloudbleed may affect millions

The new Cloudbleed vulnerability, like Heartbleed, was discovered through routine fuzz testing and may affect 5.5 million websites and millions of users.

Continue Reading...

Posted in Cloud Security, Fuzz Testing | Comments Off on With comparisons to Heartbleed, Cloudbleed may affect millions

 

Bug elimination: Code scanning, fuzzing, and composition analysis

When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds a Ph.D. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, Black Hat, ToorCon, GrrCON, and HITB. He is currently the co-founder of VDA Labs.

Continue Reading...

Posted in Fuzz Testing, Software Composition Analysis (SCA), Static Analysis (SAST), Web Application Security | Comments Off on Bug elimination: Code scanning, fuzzing, and composition analysis

 

Ticketbleed: The next black swan

Ticketbleed is a software vulnerability in a feature of the TLS/SSL stack that allows a remote attacker to extract sensitive information.

Continue Reading...

Posted in Fuzz Testing, Software Composition Analysis (SCA) | Comments Off on Ticketbleed: The next black swan

 

New study finds static analysis and fuzz testing from Synopsys can save millions in remediation costs

By integrating testing early in the software development lifecycle, organizations may realize a high ROI.

Continue Reading...

Posted in Fuzz Testing, Static Analysis (SAST) | Comments Off on New study finds static analysis and fuzz testing from Synopsys can save millions in remediation costs

 

Podcast: Billy Rios on the good and the bad of Heartbleed, Part 1

Two years after its disclosure, the vulnerability in OpenSSL known as Heartbleed remains significant. There are valuable lessons still to be learned both about how the vulnerability was initially discovered and how the security community has responded over time.

Continue Reading...

Posted in Fuzz Testing, IoT Security, Open Source Security | Comments Off on Podcast: Billy Rios on the good and the bad of Heartbleed, Part 1

 

Defensics Agent Framework

During past few months, Synopsys R&D has been busy with improving the Defensics instrumentation capabilities. Focus has been given to providing more powerful tools for controlling and monitoring the status of the system under test (SUT). Fuzzing is an effective testing technique but it is sometimes hard to detect an exact testcase or sequence which caused the failure in SUT. For setting up better diagnostic for SUT and enabling improved information flow from test target to Defensics test solution, we have developed the Defensics Agent Instrumentation Framework.

Continue Reading...

Posted in Fuzz Testing | Comments Off on Defensics Agent Framework