State of Fuzzing 2017

Where the zero days are

Fuzz testing is an excellent way to locate vulnerabilities in software. The premise is to deliver intentionally malformed input to target software and detect failure. In fact, Synopsys used its own fuzz testing technology to discover the infamous Heartbleed vulnerability OpenSSL, which had gone unidentified for more than two years and impacted more than 500,000 websites.

In the State of Fuzzing 2017, Synopsys analyzed over 4.8 billion individual fuzz tests to identify the average time to first failure and overall maturity of protocols.


Major findings across industries show:

  • The overall average time to first failure (TTFF) was 1.4 hours
  • The least mature protocol tested in 2016 was IEC-61850 MMS (ICS) which is a niche protocol, used in IoT and industrial control systems. The average TTFF for IEC-61850 MMS was  6.6 seconds.
  • The most mature protocol tested in 2016 was TLS client (Core IP) commonly used for secure browsing. The average TTFF for TLS client was 9 hours .
State of Fuzz Testing

Get all the research findings—download the report.