After a couple of folks said they liked it, I figured it is on-topic enough to send it here. This is my lecture from CCC, I hope you like it (I swear in it.. it's defcon-like, be warned PG-13).
It basically describes fuzzing and how it can be/is implemented in the corporate world/as part of the development process/as certification/as testing... etc. and how a fuzzer can be built to fit what the corporate world is looking for. This is not a technical lecture in any way - so skip it if that's what you are looking for. We do cover the basics of black box testing with fuzzing, though. :) http://media.hojann.net/23C3/23C3-1758-en-fuzzing_corporate_world.m4v http://fsmpi.uni-bayreuth.de/~pw/23c3/23C3-1758-en-fuzzing_corporate_world.m4v >From the talk description: http://events.ccc.de/congress/2006/Fahrplan/events/1758.en.html (an updated PDF of the presentation should be there soon) Fuzzing in the corporate world The use of fuzzing in the corporate world over the years and recent implementation of fuzzing tools into the development cycle and as a requirement before purchase ---- We will discuss fuzzing uses by software vendors and in the corporate world, for security auditing ("fuzzing before release") and third party testing ("fuzzing before purchase"). We will look at what contributed to this change in the use of fuzzing tools from home-grown hacking tools to commercial products, as well as how these organizations implement fuzzing into their development cycle. ---- Fuzzing has been used for a long time in the hacker scene. Mostly, these tools have been home-grown. In the recent year, several commercial fuzzing tools appeared. These in turn are now utilized by organizations in the development cycle under the moto of "fuzzing before release", or "find the vulnerability before hackers do". Another interesting and somewhat unexpected development in the field is that end-clients are the largest consumers of advanced fuzzing technology, performing tests on software before purchase. Further, some large telcos and financial institutions now demand for products to be certified (even if not by an official seal) by fuzzing products which they authorize. Is fuzzing finally a solution to reduce vulnerabilities in products rather than just later discover them? How is it used by these corporations and third-party organizations? Some methodologies as well as examples will be presented, and we will also try to look into what the future holds. Gadi. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________