lutya - Fotolia
Microsoft recently introduced a fuzzing as a service option on Azure. How does this work as a cloud service, and how is it different than vulnerability scanners?
Microsoft released an initiative called Project Springfield which allows developers to test the security of their software code with something called fuzzing. By fuzzing code, you're essentially throwing random inputs at the software to determine where things in the code break. This could end up being issues with memory, injection, error handling and so on. By using fuzzing as a service, a developer is able to find issues with the software code that might not have been found without this detailed testing. The testers give the fuzzing application a set of inputs that it runs through the code and continue to dig deeper into the software with each pass. This service is supposed to adapt with each round of fuzzing and be an automated way of finding software bugs.
With this being said, Microsoft has Project Springfield running in Azure and it seems to only be working for Windows binaries as of this writing. The fuzzing as a service process outlined in Project Springfield can be broken down into four steps:
- The developer logs in to the software as a service portal and is given a virtual machine where he puts the inputs into the fuzzing application;
- The fuzzer runs through multiple attempts of fuzzing the software;
- The results from the fuzzing are entered to the web portal that the developer logged in to initially and where he can export the vulnerability report; and
- The developer takes these bugs and hopefully remediates them before the code is sent to production.
This process tests for more than just vulnerabilities in the developer's software. This fuzzer brings out logic errors within the code that might not be vulnerable code, but can be abused all the same. In addition, vulnerability scanners look for flaws in applications, but they don't involve injecting troves of random data into the applications as fuzzing does. Adding fuzzing to your software development lifecycle process, along with static and dynamic analysis scans, adds an extra layer of protection for your software. With Project Springfield, Microsoft is taking a tool that might not have been accessible to everyone and allowing fuzzing as a service to be given to the masses without much experience. In the future, having an option for automated fuzzing will assist with making software more secure to build and buy.
Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how enterprise software development is changing
Check out this guide to hiring software developers
Find out how Azure Security Center boosts Microsoft cloud security
Dig Deeper on Cloud Computing Software as a Service (SaaS) Security
Related Q&A from Matthew Pascucci
Container security continues to be a pressing issue as containers and hosts are being used more frequently. Learn how to keep your enterprise safe ... Continue Reading
While there are no set rules, there are some security recommendations when it comes to virtual machines running on one host. Learn the best practices... Continue Reading
Poisoned search results have spread the Zeus Panda banking Trojan throughout Google. Learn what this means, how search engine poisoning works and ... Continue Reading