Better Software - June 2008 - (Page COD3) Codenomicon whitepaper: How to integrate FUZZING and security testing into SDLC 2 End user perspective to fuzzing What criteria do the customers use when choosing the fuzzing product? Vendor reputation and the test coverage came up high on the list: • “Some of our team members had worked with Codenomicon before and suggested that we try it. I can’t tell you how important these types of personal references are when you are about to purchase and use something you have little experience with.” (Software Company). • “The most important thing is this: Codenomicon’s protocol depth and state is the best in the market. The documentation is also awesome; you can see every test case.” (Telecommunications Equipment Company) • “We really thought we would use open source tools, but the more protocols we decided to test, the more work we had to do. Codenomicon supports almost every protocol we wanted to test, so it made economic sense to purchase DEFENSICS rather than spend dedicated time and resources toward customizing open source.” (Software Company) People also like using software based solutions compared to appliance based tools. Software will be easier to use corporate-wide, and results in more users and better results in a shorter time frame. • “We like the idea of a software-based system. We can easily modify the system with new operating systems, more network cards, or more complex configurations. We are also able to select preferred hardware vendors that have established good SLAs.” (Telecommunications Equipment Company) • “Since Codenomicon is a software-based system, we were able to purchase DEFENSICS using our operating rather than capital budget. This made the decision easy.” (Telecommunications Equipment Company). Finally, the ultimate purpose of fuzzing is to find flaws. The value of fuzzing is in the proactive elimination of security critical issues in software. • “Based upon our models, we know that if customers find software bugs, it cost about $32,000 to fix. If we catch a bug during our software verification phase, it costs between $4,000 and $8,000 to fix. If we find software bugs in development, it only costs around $600 to $800 to fix them. Obviously, our goal is to find bugs as early as we can, and Codenomicon is helping us do this.” (Telecommunications Equipment Company) In summary, black box testing is a simple matter of doing more with less. In this case, commercial fuzzing tools provide more test suites, protocol support, and fuzzing capabilities while decreasing the need for deep protocol knowledge, test suite development, and source code expertise. By Jon Oltsik, Enterprise Strategy Group Fuzzing has proven to be particularly effective when testing for software exposure and system failure risks because it: • Has broad application. Since black box fuzzing is independent of individual development projects, it can be applied in numerous use cases. For example, fuzzing can be used to be used to analyze the behavior of file formats, networking and application protocols, APIs, etc. • Provides “wide and deep” coverage. Leading fuzzing tools support a wide range of protocols from Layer 2 through Layer 7 of the OSI stack. This in itself is valuable, but many offer extensive test suites to exercise all aspects of these protocols. Many users have found problems in secondary esoteric protocols that impact overall software security, performance, and availability. With this “wide and deep” capability, black box fuzzing tools can test each and every protocol, not just the obvious ones. • Eliminates the need for source code and protocol knowledge. Most test engineers would agree that more testing is always better, but many organizations don’t have the resources, time, or skills to develop hundreds of new scripts to test software on their own. Fuzzing tools eliminate this restriction by aggregating testing expertise and a multitude of test routines into a turnkey solution. With this type of coverage, software engineers can spend their time testing code rather than studying protocols or developing their own test scripts. The following findings are based on interviews conducted with users of commercial fuzzing tools. The key driver in fuzzing is the capability to extend testing into new domains, namely security testing, and through a turnkey solution: • “There is so much going on in the operating system in terms of protocol support and we wanted to make sure that we understood how these protocols impacted the security and robustness of our software. Black box testing gave us a much broader use case.” (Software Company) • “Originally, we found some unstable behavior with some protocols when using Nessus for testing purposes. We adopted [fuzzing] tools soon afterward, because we wanted to exercise more protocols through a thorough set of test cases. [Fuzzing] tools certainly fit this requirement. (Telecommunications Equipment Company) • “We needed protocol specific tests and didn’t have the resources to develop our own test for CIFS, RTP, SSL and lots of others. [The commercial fuzzing tool] gave us support for every protocol we needed.” (Software Company). That’s easy – our customers told us to. We are finding this true of more and more of our carrier customers.” - Telecommunications Equipment Company “Why did we adopt [fuzzing] tools? For more customer comments on fuzzing, check out: http://www.codenomicon.com/resources/whitepapers/2008-customer-view.shtml PREEMPTIVE SECURITY AND ROBUSTNESS TEST SOLUTIONS http://www.codenomicon.com/resources/whitepapers/2008-customer-view.shtml
Table of Contents Feed for the Digital Edition of Better Software - June 2008 Better Software - June 2008 Contents Mark Your Calendar Contributors Technically Speaking eLightenment Code Craft Test Connection Management Chronicles Agile Model-Driven Development The Myth of Risk Management Stop the Insanity! Product Announcements 10 Things You Might Not Know About … The Last Word Ad Index Better Software - June 2008 Better Software - June 2008 - (Page Intro) Better Software - June 2008 - Better Software - June 2008 (Page Cover1) Better Software - June 2008 - Better Software - June 2008 (Page Cover2) Better Software - June 2008 - Better Software - June 2008 (Page 1) Better Software - June 2008 - Better Software - June 2008 (Page 2) Better Software - June 2008 - Contents (Page 3) Better Software - June 2008 - Mark Your Calendar (Page 4) Better Software - June 2008 - Mark Your Calendar (Page 5) Better Software - June 2008 - Mark Your Calendar (Page 6) Better Software - June 2008 - Mark Your Calendar (Page 7) Better Software - June 2008 - Contributors (Page 8) Better Software - June 2008 - Contributors (Page Telelogic1) Better Software - June 2008 - Contributors (Page Telelogic2) Better Software - June 2008 - Contributors (Page 9) Better Software - June 2008 - Contributors (Page 10) Better Software - June 2008 - Technically Speaking (Page 11) Better Software - June 2008 - eLightenment (Page 12) Better Software - June 2008 - eLightenment (Page 13) Better Software - June 2008 - Code Craft (Page 14) Better Software - June 2008 - Code Craft (Page 15) Better Software - June 2008 - Code Craft (Page 16) Better Software - June 2008 - Code Craft (Page COD1) Better Software - June 2008 - Code Craft (Page COD2) Better Software - June 2008 - Code Craft (Page COD3) Better Software - June 2008 - Code Craft (Page COD4) Better Software - June 2008 - Code Craft (Page 17) Better Software - June 2008 - Test Connection (Page 18) Better Software - June 2008 - Test Connection (Page 19) Better Software - June 2008 - Management Chronicles (Page 20) Better Software - June 2008 - Management Chronicles (Page 21) Better Software - June 2008 - Agile Model-Driven Development (Page 22) Better Software - June 2008 - Agile Model-Driven Development (Page 23) Better Software - June 2008 - Agile Model-Driven Development (Page 24) Better Software - June 2008 - Agile Model-Driven Development (Page 25) Better Software - June 2008 - Agile Model-Driven Development (Page 26) Better Software - June 2008 - Agile Model-Driven Development (Page 27) Better Software - June 2008 - Agile Model-Driven Development (Page 28) Better Software - June 2008 - Agile Model-Driven Development (Page 29) Better Software - June 2008 - The Myth of Risk Management (Page 30) Better Software - June 2008 - The Myth of Risk Management (Page 31) Better Software - June 2008 - The Myth of Risk Management (Page 32) Better Software - June 2008 - The Myth of Risk Management (Page 33) Better Software - June 2008 - The Myth of Risk Management (Page 34) Better Software - June 2008 - The Myth of Risk Management (Page 35) Better Software - June 2008 - Stop the Insanity! (Page 36) Better Software - June 2008 - Stop the Insanity! (Page 37) Better Software - June 2008 - Stop the Insanity! (Page 38) Better Software - June 2008 - Stop the Insanity! (Page 39) Better Software - June 2008 - Stop the Insanity! (Page 40) Better Software - June 2008 - Stop the Insanity! (Page 41) Better Software - June 2008 - Stop the Insanity! (Page 42) Better Software - June 2008 - Stop the Insanity! (Page 43) Better Software - June 2008 - Product Announcements (Page 44) Better Software - June 2008 - Product Announcements (Page 45) Better Software - June 2008 - 10 Things You Might Not Know About … (Page 46) Better Software - June 2008 - The Last Word (Page 47) Better Software - June 2008 - Ad Index (Page 48) Better Software - June 2008 - Ad Index (Page Cover3) Better Software - June 2008 - Ad Index (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.