lutya - Fotolia

Project Springfield: How does Microsoft's fuzzing as a service work?

Microsoft's fuzzing as a service cloud initiative, called Project Springfield, can make a significant difference to software security. Expert Matthew Pascucci explains.

Microsoft recently introduced a fuzzing as a service option on Azure. How does this work as a cloud service, and how is it different than vulnerability scanners?

Microsoft released an initiative called Project Springfield which allows developers to test the security of their software code with something called fuzzing. By fuzzing code, you're essentially throwing random inputs at the software to determine where things in the code break. This could end up being issues with memory, injection, error handling and so on. By using fuzzing as a service, a developer is able to find issues with the software code that might not have been found without this detailed testing. The testers give the fuzzing application a set of inputs that it runs through the code and continue to dig deeper into the software with each pass. This service is supposed to adapt with each round of fuzzing and be an automated way of finding software bugs.

With this being said, Microsoft has Project Springfield running in Azure and it seems to only be working for Windows binaries as of this writing. The fuzzing as a service process outlined in Project Springfield can be broken down into four steps:

  1. The developer logs in to the software as a service portal and is given a virtual machine where he puts the inputs into the fuzzing application;
  2. The fuzzer runs through multiple attempts of fuzzing the software;
  3. The results from the fuzzing are entered to the web portal that the developer logged in to initially and where he can export the vulnerability report; and
  4. The developer takes these bugs and hopefully remediates them before the code is sent to production.

This process tests for more than just vulnerabilities in the developer's software. This fuzzer brings out logic errors within the code that might not be vulnerable code, but can be abused all the same. In addition, vulnerability scanners look for flaws in applications, but they don't involve injecting troves of random data into the applications as fuzzing does. Adding fuzzing to your software development lifecycle process, along with static and dynamic analysis scans, adds an extra layer of protection for your software. With Project Springfield, Microsoft is taking a tool that might not have been accessible to everyone and allowing fuzzing as a service to be given to the masses without much experience. In the future, having an option for automated fuzzing will assist with making software more secure to build and buy.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how enterprise software development is changing

Check out this guide to hiring software developers

Find out how Azure Security Center boosts Microsoft cloud security

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security