Fuzz Testing

[Audio] Hello everyone, my name is Robert, and I am here today to make a presentation about Fuzz Testing..

[Audio] What is Fuzz Testing, Put simply, fuzzing introduces unexpected inputs known as FUZZ into a system and watches to see if the system has any negative reactions to the inputs that indicate security, performance, or quality gaps or issues. The term " fuzz" was created by Barton Miller, a professor at the University of Wisconsin who invented the term fuzz testing in 1989..

[Audio] Why do Fuzz Testing Usually, Fuzz testing finds the most serious security fault or defect. Fuzz testing is used to check for the vulnerabilities in software. Fuzzing is one of the most common methods hackers used to find the vulnerability of the system. Fuzz testing is one of the black box testing techniques. Fuzzing can frequently reveal severe defects which might be overlooked while the software is written and debugged..

[Audio] The advantages of Fuzz Testing include: Fuzz testing improves software Security Testing. Bugs found in fuzzing are sometimes severe and most of the time used by hackers including crashes, memory leaks, unhandled exceptions, etc. If any of the bugs fail to get noticed by the testers due to the limitation of time and resources, those vunerabilities are also found in Fuzz testing. Presents results with little attempt - as soon as a fuzzer is up and strolling, it may be left for hours, days, or months to search for bugs without an interaction. The disadvantages of Fuzz Testing include: Fuzz testing alone cannot provide a complete picture of an overall security threat or bugs. Fuzz testing is less effective for dealing with security threats that do not cause program crashes, such as some viruses, worms, Trojan, etc. Fuzz testing can detect only simple faults or threats. To perform effectively, it will require significant time..

[Audio] Types of Fuzzers Fuzzers that modify existing data samples to produce new test data are known as mutation-based fuzzers. Generation-Based Fuzzers create new data based on the model's input. It starts from the beginning, producing input depending on the requirements. The most successful fuzzer is PROTOCOL-BASED- FUZZER, which has extensive knowledge of the protocol format being tested. The understanding depends on the specification. It involves writing an array of the specification into the tool, then using the model-based test generation technique to go through the specification and add irregularities. The Fuzzer can generate test cases from an existing one, or it can use valid or invalid inputs..

[Audio] Fuzz Testing Tools Developers can benefit from a whole range of open-source software fuzzing tools. There are often specialized for specific use cases or programming languages. But there are also a few commercial solutions that become relevant if you're working in larger development teams or DevOps environments. Usually, they come with more integrations and features, such as automated bug reporting, continuous integration, and continuous delivery, and OWASP vulnerability detection..

[Audio] Steps to Successful Fuzz Testing Step 1) Identifying the target system Step 2) Identifying inputs Step 3) Generating Fuzzed data Step 4) Executing the test using fuzzy data Step 5) Monitoring the system behavior Step 6) Logging defects.

[Audio] With each passing year, vehicles emerge as greater complicated and linked. International data corporations predict that via 2023, almost 70% of worldwide new light-duty cars and trucks may have embedded connectivity. While this connectivity provides consumers the comfort they demand, it will increase the automobile's attack floor via USB connections, linked entertainment, navigation systems, and wireless systems. This makes automated security tests even more crucial to prevent criminals from stealing the automobile and compromising automobile systems, privateness, and safety of occupants. Due to increased security regulations, more and more software companies have to run automated security tests before shipping their software. That's why many industries and ISO standards recommend integrating automated fuzz testing into the development process. Especially in industries, that already have advanced quality and security regulations. A good example is ISO/ SAE 21434 and UNECE WP. 29, which deal with the security of automotive software..

[Audio] The following are the common challenges when fuzz testing: Where to start fuzzing? When developers put into effect fuzz trying out for the first time, they often begin with low finances, with little to no fuzzing revel in, and no expert support. How to fuzz complex systems with dependencies? The dependencies within the automobile software make it difficult for builders to fuzz the programs nicely and the guide attempt remains very high How to integrate fuzz testing? Integrating fuzz testing into continuous integration and continuous development can help scale the advantages of this technique. However, for successful integration, Developers, safety specialists, and managers must be on an identical page about the consequences of these modifications and the way they affect certain methods..

[Audio] In conclusion, Fuzz testing is a type of software engineering that identifies the presence of flaws in an application but does not guarantee the detection of bugs completely in an application. Remember… there is also a human component to automated bug finding Thank you for your time and for listening to my presentation about Fuzz testing. Please feel free to ask any questions.