buchachon - Fotolia

Microsoft previews Project Springfield, Azure-based fuzz testing

Microsoft's 'million-dollar bug detector' on offer in preview of Project Springfield, an Azure-based fuzz testing service announced at Ignite 2016.

Microsoft is offering a preview of its Project Springfield, a fuzz testing service for finding critical security bugs in software. Announced at Microsoft Ignite 2016 in Atlanta this week, the new "fuzzing as a service" project incorporates fuzzing technology that Microsoft used to discover one-third of the "million-dollar" security bugs found during development of Windows 7.

Project Springfield offers users a secure web portal to access a virtual machine on which they can upload binaries of software to be fuzz tested, a "test driver" program that runs the scenario being tested, and sample input files that the services use as a starting point for fuzzing. Project Springfield then runs continuous fuzz testing with multiple methods and reports security vulnerabilities over the web portal.

The new security testing service runs over Azure so users need not deploy their own data centers to do fuzz testing of code while using the tool Microsoft calls its "million-dollar bug detector," according to Allison Linn, senior writer at Microsoft. "Project Springfield helps customers quickly adopt practices and technology battle-tested over the last 15 years at Microsoft."

Microsoft calls Project Springfield a million-dollar bug detector, Linn wrote, because "every time the system finds a potentially serious bug proactively, before a piece of software is released, it is saving a developer the costly effort of having to release a patch reactively, once the product is already public. With widely used software such as an operating system or productivity suite, deploying those patches can cost as much as $1 million, the researchers say."

A key component of the service, called SAGE, has been in use at Microsoft since the mid-2000s and was used to test products like Windows 7 before release.

David Molnar, the Microsoft researcher who leads Project Springfield, said that fuzz testing is most useful for software that accepts input documents, images, videos or files that can carry harmful content. Molnar told Linn, "These are the serious bugs that it's worth investing to prevent."

Next Steps

Find out more about how fuzz testing can be used to secure internal apps.

Learn about what fuzz testing is, and how to use it.

Read about testing cloud application security in AWS.

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus