In a new report, Synopsys examines new insights into areas of software development where further testing remains. By analyzing over 4.8 billion protocol-based tests, the Synopsys State of Fuzzing 2017 report qualifies the relative levels of maturity in terms of quality and security across more than 250 protocols found in industry verticals such as industrial control systems, medical, financial, government, and the Internet of Things (IoT).
The report, based on data from Synopsys fuzz testing operations, explores the following questions:
In 2014, Synopsys’ fuzz testing product was used to identify the infamous Heartbleed vulnerability in OpenSSL. It had gone unidentified for more than two years and impacted more than 500,000 websites.
Synopsys’ fuzzing solution uncovers hidden, unknown vulnerabilities. It also helps organizations improve software security with advanced test suites for 250+ standard network protocols, file formats, and other interfaces. It not only uncovers dangerous unknown vulnerabilities, but also provides expert remediation advice to help organizations future-proof the software they rely on.
“Fuzz testing is a powerful component of the Synopsys Software Integrity Platform to uncover zero-day vulnerabilities and help organizations protect their software,” said Andreas Kuehlmann, Senior Vice President and General Manager for the Synopsys Software Integrity Group. “By analyzing such a large data set from our customers, the Synopsys fuzzing report provides visibility into unknown, hard-to-find vulnerabilities and highlights where security teams should look to improve the quality and security of their software.”
In today’s Fault Injection Podcast, focusing on fuzzing, Chris Clark, Principal Security Engineer at Synopsys, said of the report:
“It’s always surprising for us when we go and when we talk with the customer. We ask what protocols they use, we get a list of protocols, and we say, “OK, let’s validate that, let’s check that.” We’ll use something like an In Map or some other protocol, or other tool to look at the protocols that are being listed, and we always find there’s some extras that aren’t included.”