Last August 2021, ForAllSecure held its second annual FuzzCon. FuzzCon seeks to bring together technical experts and industry leaders across various sectors to share fuzz testing knowledge. Our ultimate vision for FuzzCon is to be a key source for connecting people with knowledge and fellow enthusiasts. Through education and networking, our goal is to make this advanced technique more approachable and accessible.
Approachability and accessibility remain a top goal for this event. Fuzz testing is a technique that has been around for nearly three decades, but continues to be deemed as a mysterious, yet powerful capability only exclusive to a few. At FuzzCon 2020, Mike Walker, Sr. Director of Microsoft Research NExT Special Projects, echoed this sentiment: “Fuzzing seems like black magic and it just seems impossible to bring into [a] company. At the same time, we don't know what else we can do to make it more accessible. Who can be right in that conversation? And, the answer is absolutely both sides. Because the future is always already here, it’s just unevenly distributed.”
Historically technical teams, including the ForAllSecure Mayhem R&D team, have made tremendous strides to increase the ease-of-use and accessibility through the open source of fuzz testing technology. This has been the case for the last decade. What’s been missing all this time is the approachability of this technology. FuzzCon serves as the natural complement to the technical progress we’ve made. FuzzCon introduces approachability by melting away fuzz testing’s perceived intimidation.
“Security testing is more important, and available than ever. That was the key take away this year: start fuzzing, no matter what maturity level your organization is at. Makers and customers desire safer systems,” Dr. Jared DeMott, Security Veteran and 2021 FuzzCon Master of Ceremonies, reflects.
We host FuzzCon because we believe in the importance of proliferating fuzz testing to every organization. It truly is the future of application security. The advent of CI/CD, DevOps, and Digital Transformation has rendered Application Security Testing 1.0 technology obsolete, largely due to the fact that they’ve been modeled after waterfall developer methodologies. To make matters worse, the approaches that static analysis (SAST) and software composition analysis (SCA) take inherently place testers in a reactive position -- meaning they’ll never get ahead of the threat landscape. These tools base their checkers and test cases on already known information -- CWEs and/or CVEs. Fuzz testing is the only technique that is able to find issues before they become known to the attackers and the public. It is also the only DAST technology that’s able to instrument itself into the SDLC, delivering accurate results directly to the developers. In order to improve the world’s product security posture, we need to make way for technology that aligns with the direction of development practices, the needs of the developers, and the ever-evolving risk landscape.
David Brumley, CEO of ForAllSecure, shares why he believes fuzz testing is critical for the advancement of our future as a society:
"Fuzz testing finally gives developers and security what they want: real results with zero false-positives. There is a big difference between data, which is just data, and actual information. Fuzzing provides information: is there a real defect?
"But the reason to be excited goes deeper than that. You see, we didn’t choose to be a fuzzing company. We are a company solving the human cybersecurity workforce shortage problem. We want to live in a world that harnesses human creativity to solve business and societal issues, not check a laundry list of rules, false-positives, and random data sources. We all know this problem is key. Today we’re living on borrowed security time by developing software faster than we can secure it. In 2016, the best minds were challenged with the question: how do we scale application security at modern internet speeds and modern developer scale? The answer -- and this is really what was proven by the DARPA Cyber Grand Challenge -- is fuzz testing. But, we mustn’t lose sight of the larger problem we’re solving, which is making cybersecurity autonomous so humans can do what they do best: innovate."
We know we’re on to something. In the last year and half, we’ve seen major shifts in the Application Security Testing market. Gartner added Fuzz Testing into their Critical Capabilities, recognizing this technique as a requirement to qualify for their Application Security Testing Magic Quadrant. Git repository vendors are making moves into this market. GitLab acquired not one, but two fuzz testing vendors. And, last but not least, we’re seeing the rise of the Chief Product Security Officer (CPSO). The CPSO function and role is being recognized as a separate entity from the CISO and they are being invited to the table, a sign that the security of software is more important than ever.
We’re driving the future of application security. Join us in our pursuit to make the world’s software safe. For more information about fuzz testing and Mayhem, contact us here.
If you missed our FuzzCon 2021, you’re in luck. You can watch the recording here.