Posted by Tamulyn Takakura on February 9, 2018
Written in coordination with Chris Clark, Defensics product manager
Over the last year, we’ve noticed a rise in Defensics myths. Admittedly, this doesn’t surprise me. Myths abound in technology markets, where facts and figures often stand in contrast to conventional wisdom, and the fuzz testing market is a particularly challenging one to navigate. I suspect this difficulty exists for three main reasons:
Listed below are just a handful of the myths we’ve run into, and we’re here to debunk them all. Have you run into any that aren’t mentioned here? Let us know.
Most development, security, and QA teams assume that Defensics won’t fit into the product development life cycle because it’s a black box fuzzer. That’s only partially true.
Although it is a black box fuzzer, Defensics contains workflows that enable it to fit almost any environment from a technological and process standpoint. Whether you employ a traditional SDL or CI development life cycle, Defensics brings fuzz testing into development, allowing you to catch vulnerabilities early and cost-effectively. Got an unconventional development life cycle? We have an experienced professional services team that can help you identify fuzz testing checkpoints, define fuzz testing metrics, and establish a fuzz testing maturity program with Defensics. Let’s talk.
Defensics aims to locate vulnerabilities, primarily unknown and zero-day, before software is released into the wild. Unlike other fuzzers in the market, Defensics has a deep understanding of the input type, meaning it can identify key weaknesses in the rules that govern communication and deliver tests that exploit those weaknesses. Because Defensics generates tests that are likely to trigger vulnerabilities, users can efficiently and effectively find and fix them before they lead to costly patches and recalls. We have a proven track record that attests not only to the quality of our test suites but also to the quality of results our customers can expect.
The Total Economic Impact of Synopsys Software Testing Tools: Coverity and Defensics, a Synopsys-commissioned report, details how an entertainment and communications technology company avoided remediation expenses of $1.8 million by fuzzing with Defensics over 3 years. For more information on Defensics’ ROI, read the full report.
It’s true that Defensics is known for its predefined test suites, and this is because predefined test suites for protocols, file formats, and interfaces is where Defensics put out its first roots. However, Defensics has grown and matured since its inception about 15 years ago.
Today, Defensics is a comprehensive fuzzing solution. Not only does it offer advanced template fuzzers for file formats (Universal Fuzzer) and protocols (Traffic Capture Fuzzer), but we also provide a Defensics fuzzing framework (Defensics SDK) so users can create their own test suites. With Universal Fuzzer, Traffic Capture Fuzzer, or Defensics SDK, users can augment our library of 250+ test suites with test cases and test suites they’ve built for file formats, protocols, and their own custom or proprietary input types. Also, don’t forget about our data sequence editor, which enables users to fine-tune our predefined test suites to capture those corner cases they might come across. This flexibility lets users rely on the same Defensics fuzzing engine and user interface for all their fuzzing needs.
Some may knock Defensics’ prebuilt test suites, but we’ve found that our customers can start fuzzing quicker with them. When provided only fuzzing frameworks, organizations have to write their own test suites, outsourced or in-house, before they can start testing. With this approach, just getting started can take a while, especially if you want quality tests. We’re not asserting that one approach is better than the other. Frankly, it comes down to what users are looking for. Our observations have shown that prebuilt test suites result in quicker time to fuzz and less test suite maintenance headaches for users. These benefits are preferred particularly by organizations and teams who aren’t fluent in fuzzing, don’t wish to specialize in fuzzing, or don’t have a dedicated fuzzing team. Still, advanced users and security teams who are knowledgeable about fuzzing may prefer having more control and flexibility over their test suites by writing their own, which is possible with Defensics SDK.
Defensics sports a logical user interface that guides users through each step of the fuzz testing process. Here’s how Defensics works:
And that’s how Defensics employs automation—some apparent and some subtle—throughout its testing process to make advanced fuzz testing easy for anyone.
When monitoring is mentioned in the context of fuzzing, it also refers to instrumentation. This is the fuzzer’s capability of picking up anomalous behavior in the test target.
Defensics offers instrumentation for the following:
Defensics also offers SafeGuard checkers, the feature that found the infamous Heartbleed vulnerability, which detect the following anomalous behaviors:
In this article, we’ve focused heavily on Defensics myths and what makes them untrue. Now that we’ve discussed what Defensics isn’t, let’s talk about what Defensics is.
Defensics is a comprehensive, powerful, and automated black box solution that enables organizations to effectively and efficiently discover and remediate security weaknesses in software. By taking a systematic and intelligent approach to negative testing, Defensics allows organizations to ensure software security without compromising on product innovation, increasing time to market, or inflating operational costs. Fuzz smarter, remediate faster, and release safer with Defensics.
Get the latest Software Integrity news, thought leadership, and more.