In a recent open source hackathon, we found three Linux kernel vulnerabilities: CVE-2017-7645, CVE-2017-7895, and CVE-2017-8797. Here’s how we found them.
In a new report, Synopsys examines new insights into areas of software development where further testing remains. By analyzing over 4.8 billion protocol-based tests, the Synopsys State of Fuzzing 2017 report qualifies the relative levels of maturity in terms of quality and security across more than 250 protocols found in industry verticals such as industrial control systems, medical, financial, government, and the Internet of Things (IoT). Check out the State of Fuzzing 2017 report to get all the findings.
Posted in Fuzz Testing | Comments Off on What is the state of fuzz testing in 2017?
Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about the value of fuzz testing and the findings from a new report from Synopsys on the State of Fuzzing 2017.
Posted in Fuzz Testing | Comments Off on Fault Injection Podcast: Where the zero days are
Earlier this month WikiLeaks announced it had in its possession a cache of zero days allegedly from the Central Intelligence Agency. These unpatched vulnerabilities, it said, could affect Apple and Android devices (including TVs). It is suspected that exploitation of these vulnerabilities could allow the spy agency – or anyone else who knows about them — to surveil targets by activating microphones and receivers as well as eavesdropping on communications.
The new Cloudbleed vulnerability, like Heartbleed, was discovered through routine fuzz testing and may affect 5.5 million websites and millions of users.
When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds a Ph.D. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, Black Hat, ToorCon, GrrCON, and HITB. He is currently the co-founder of VDA Labs.
Ticketbleed is a software vulnerability in a feature of the TLS/SSL stack that allows a remote attacker to extract sensitive information.
New study finds static analysis and fuzz testing from Synopsys can save millions in remediation costs
By integrating testing early in the software development lifecycle, organizations may realize a high ROI.
Two years after its disclosure, the vulnerability in OpenSSL known as Heartbleed remains significant. There are valuable lessons still to be learned both about how the vulnerability was initially discovered and how the security community has responded over time.
During past few months, Synopsys R&D has been busy with improving the Defensics instrumentation capabilities. Focus has been given to providing more powerful tools for controlling and monitoring the status of the system under test (SUT). Fuzzing is an effective testing technique but it is sometimes hard to detect an exact testcase or sequence which caused the failure in SUT. For setting up better diagnostic for SUT and enabling improved information flow from test target to Defensics test solution, we have developed the Defensics Agent Instrumentation Framework.
Posted in Fuzz Testing | Comments Off on Defensics Agent Framework