With that said, I’m willing to bet quality assurance is low on everyone’s mind when it comes to top tier “hacking tools”. However, the QA process is the backbone of what it takes to operate at that level. Unlike a web browser or the mobile app du jour, there’s no room for error when it comes to malware. Think about it…if you crash a box, you’re caught. If you get logged, you’re caught (at least you should be :). If you fail to handle the latest security product or exploit mitigation…you’re caught! And when your exploit or implant gets caught, it’s time to start over.
Could you imagine if Pokémon Go had to be rewritten from scratch every time it crashed a certain number of times? Hell, the product wouldn’t have released until 2018! Even at that rate, it wouldn’t support the newest/latest/greatest phones and operating systems. Despite these hurdles, my team was able to build a company which delivered software to customer’s with the highest quality assurance standards. To do this at scale, we leveraged an insane amount of automated testing which heavily leveraged fuzzing (also called “fuzz testing”).
For those not familiar, fuzzing refers to a software testing technique that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for crashes, failing code assertions, or potential memory leaks. Considering that fuzzing is commonly used by cyber security researchers to find software vulnerabilities, it’s obvious why software developers should use the same techniques to discover bugs first!
- Crawls through fuzzing foundations like mutation/generative-based fuzzers & instrumentation.
- Walks through enterprise focused methodologies like code coverage statistics, corpus distillation, fuzzer efficiency, and vulnerability detection.
- And runs through new techniques like SMT Solving & Concolic Execution.
If you’re a developer looking to improve the quality of your software, we’d love for you to join our next class! We’re cyber security veterans (10 years in the US Intelligence Community) with first hand experience fuzzing software to discover and exploit vulnerabilities. We’ve also taught this class seven times at BlackHat and published a high level video blog on fuzzing over at Cybrary.
If you like what you read or know someone who could benefit from this blog, don’t hesitate to share! Sharing is caring, and caring helps pay our bills :P