On Feb 27, 2007, at 4:54 AM, Michael Silk wrote:
unconvinced of what? what fuzzing is useful? or that it's the best security testing method ever? or you remain unconvinced that fuzzing in web apps is > fuzzing in os apps?fuzzing has obvious advantages. that's all anyone should care about.
No, not that it's useful or not. As I said in my other reply, my real wariness is of the "one size fits all" product solutions. It seems to me that the best fuzzing tools are in fact frameworks for building customized fuzzing tests. OWASP's jbrofuzz (in beta release currently) is an example of what I mean here. It gives the tester the means for identifying fields to fuzz and how to fuzz them (say, integer size testing), and then you press the fuzz button and it generates all the tests. That's useful, meaningful, and valuable, IMHO. But it's not a "fire and forget" general purpose tool that can test any web app.
Beyond that, to me it's an issue of coverage. As was any uninformed testing, it's bound to miss things, which is to be expected. (E.g., a state tree that contains a format string vulnerability that doesn't execute because the testing never triggered that particular state -- hence my comments about test coverage/state earlier.)
So, my impression is that fuzzing is useful (in Howard/Lipner's SDL book, they say that some 25% of the bugs they find during testing come out during fuzzing), but that it should only be a small, say 10-20%, part of a testing regimen.
Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com
Description: This is a digitally signed message part
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________