Rounding out DevSecOps and DAST, fuzz testing provides additional insights into the resilience of your systems and helps you spot vulnerabilities before attackers do. In this blog, we’ll provide an overview of the history of fuzz testing, how it is used today, and the benefits of implementing it into your security strategy and SDLC. 

What is Fuzz Testing? 

Fuzz testing is a technique of software testing that allows practitioners to find bugs – when they don’t know what kinds of bugs they’re looking for. Originally developed in 1989 as part of a course project by University of Wisconsin professor Barton Miller, his Advanced Operating Systems class tested the reliability of UNIX commands by barraging it with a large number of random inputs until it crashed (which it did up to 33% of the time). The discovered weaknesses were then addressed and remediated, and “fuzzing” was born.  

Today, the practice remains essentially the same. Intentionally malformed, random, and unexpected bits of data are thrown at unsuspecting systems (this is typically a black box technique) to see where it fails. This reveals weaknesses that can then be fixed.  

Despite its intended use as a security technique, attackers often employ this technique when performing reconnaissance on a targeted environment.  Knowing that it can be used for malicious purposes, it’s all the more important that fuzz testing be deployed by an organization’s SOC team. 

Types of fuzz testing 

There are various types of fuzz testing.  

Some simple ones include: 

  • Dumb fuzzers | Unaware of input structure.  
  • Smart fuzzers | Aware of input structure. 
  • Mutation-based fuzz tests | Modifies legitimate inputs into semi valid ones)  

More complex fuzzers include: 

  • Coverage-guided fuzz testing | Uses information from an initial fuzz test to determine which inputs to mutate for the most overall coverage on the next go-around. 
  • Gray box fuzzing | Mixes black and white box fuzzing, so the fuzzer has a partial understanding of the system’s internal structure. 
  • White box tests | Operate with full awareness of the system’s internal structure and have a sniper-like approach, using a program’s source code to design tests and perform QA.  
  • Black box tests | Go in with zero awareness of internal structure and have a shotgun-like approach, revealing surface-level bugs and vetting a program’s basic functionality. 
  • Generation-based fuzz tests |Generate inputs from scratch, with no modeling from inputs the system is already used to taking. This is good for simulating the potential randomness of attackers’ exploits and is the antithesis of mutation-based fuzzing.  

Who Needs Fuzz Testing? 

The short answer? Everybody that doesn’t want to become a breach statistic. But let’s dive into specifics by industry:      

  1. Automotive | Smart cars are especially susceptible to attack. Alarmingly, https://www.helpnetsecurity.com/2020/01/06/automotive-cybersecurity-incidents/cybersecurity attacks on smart systems have gone up 225% since 2019.. 
  1. Aviation | Equally looming threats come when cybercriminals target smart systems on planes, which increasingly include all systems. Threats can range from data ransoming attacks (on a soon projected 98 million terabytes of data) to the potential for remote takeovers in the sky. 
  1. Healthcare | The more digital medical records, the greater the chance of them being hacked. A leak of patient health information (PHI) could fall left of HIPAA regulations and add regulatory fines to the cost of a breach – which, in healthcare, now averages $9.23 million dollars. Connected medical IoT devices are also a potential attack vector, putting anything connected to them (such as hospital data systems) at risk, as well.  
  1. Industrial Control Systems | Human machine interfaces (HMI) that manage industrial control systems (ICS) are susceptible to critical infrastructure attacks targeting the water supply, power utilities, and chemical manufacturing plants. These attacks often come from exploiting the vulnerabilities in old Operational Technology (OT) and leverage their connection to move laterally into the new IT systems to which they are connected. 

Advantages of Fuzz Testing 

Besides the obvious benefits of increased security and system awareness, fuzz testing has other advantages that make it the offensive security gift that keeps on giving: 

  • It runs itself | Once you’ve configured a fuzzer application, it can run on its own with no human intervention. This automatic feature saves teams resources, which makes it a very viable option for SOCs who are stretched thins as it is.  
  • Unbiased coverage | Because fuzzing requires completely random input, it can supersede any biases or blind spots of human testers alone. Therefore, it catches what we miss.  
  • Works for closed systems | The basic premise of fuzzing is that there are bugs in any system, just waiting to be discovered. Releasing fuzzers into a closed system is like running a RoombaR robot-vacuum in a closed house: It’s bound to catch the bugs eventually. 

The vast potential for harm, resulting from exploiting unknown weaknesses, is exponentiating as the world becomes a more connected place. It becomes a race between Black Hats and White Hats to see who will discover critical vulnerabilities first. The one who does has the upper hand; the one who doesn’t inevitably has to deal with the fall-out, which is so much the worse for companies with skin in the game. The most a hacker has to lose is a latent opportunity. 

A complete security strategy includes defensive security architecture and offensive measures to make sure that architecture is doing its job. Fortra’s File Fuzzing with beSTORM provides a smart fuzzing platform with extensive coverage of more than 260 modules, giving companies the confidence that their security strategy will stand up to attackers when it counts. 

Protect Against The Unknown with Black Box Fuzzers

There are more threats out there than the known cybersecurity vulnerabilities. Take an on-demand demo and see how BeSTORM can help uncover those unknown vulnerabilities.