23C3 - 1.5

23rd Chaos Communication Congress
Who can you trust?

Speakers
Gadi Evron
Schedule
Day 3
Room Saal 4
Start time 12:45
Duration 01:00
Info
ID 1758
Event type Lecture
Track Community
Language English
Feedback

Fuzzing in the corporate world

The use of fuzzing in the corporate world over the years and recent implementation of fuzzing tools into the development cycle and as a requirement before purchase

We will discuss fuzzing uses by software vendors and in the corporate world, for security auditing ("fuzzing before release") and third party testing ("fuzzing before purchase"). We will look at what contributed to this change in the use of fuzzing tools from home-grown hacking tools to commercial products, as well as how these organizations implement fuzzing into their development cycle.

Fuzzing has been used for a long time in the hacker scene. Mostly, these tools have been home-grown. In the recent year, several commercial fuzzing tools appeared. These in turn are now utilized by organizations in the development cycle under the moto of "fuzzing before release", or "find the vulnerability before hackers do". Another interesting and somewhat unexpected development in the field is that end-clients are the largest consumers of advanced fuzzing technology, performing tests on software before purchase. Further, some large telcos and financial institutions now demand for products to be certified (even if not by an official seal) by fuzzing products which they authorize.

Is fuzzing finally a solution to reduce vulnerabilities in products rather than just later discover them? How is it used by these corporations and third-party organizations? Some methodologies as well as examples will be presented, and we will also try to look into what the future holds.