« What is Security's Weakest Link? | Main | Is the Government Paying Too Much for Security? »

Found an interesting article over at Dark Reading about the newest wave of vulnerability testing known as fuzzing, AKA fuzz testing, fault injection, or input validation. Fuzzing is where an application's inputs, areas like username, file, or an HTML field, are tested with somewhat random data to discover bugs and protect against things like privilege escalation or arbitrary code execution attacks.

Fuzzing is increasingly being used by companies like Microsoft and Juniper, and often entails running a command line program over and over while adding various random characters in hopes of inducing a crash and thereby uncovering a vulnerability. Fuzzing can be used on targets like MS Word or Mozilla Firebox or even a network router (to check out Mike Rothman's most recent (and most excellent) piece on Application Security click here).

Admittedly, vulnerability testing applications in the development process will certainly slow down the application's development, but as it's becoming ever more evident, either you pay some to get rid of bugs now, or pay more later once that bug's been exploited and you're application has been owned.

To get the whole low-down on fuzzing, head right here.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/3109