On March 29, 2021, SC Magazine announced the finalists for their coveted SC Awards and ForAllSecure’s Mayhem for Code is a finalist for their “Best Enterprise Security Solution” category. In order to be recognized in that category, the SC Awards states that each organization’s tools and/or services were specifically designed to meet the requirements of large enterprises, with demonstrated results in strengthening the IT security industry’s continued evolution.
In this post, I will expand on why ForAllSecure’s Mayhem for Code is being recognized as a finalist in the Best Enterprise Security Solution and how a next-generation fuzz testing technology -- a decade in the making -- came to be a contender alongside names such as Checkmarx, Crowdstrike, Cybereason, and Darktrace.
Proving the World Needs Continuous & Autonomous Security
It’s 2021 and as we all know software is everywhere -- it has even made its way into our everyday household items like our Internet-connected toothbrushes and coffee cups. Back in 2017, the Application Security Report published by Cybersecurity Ventures estimated that 111 billion lines of code were to be written in that year. At the time that broke down to almost 2 billion lines of code being released each week. Today, we can’t even begin to imagine the incredible amount of code being written each day.
With the adoption of continuous development and delivery practices, how do developers find the time to maintain the billions of lines of code they write each year? How does any organization manage their software’s security if the man-hours are attributed to software development? If development is made to be continuous, why shouldn’t security?
ForAllSecure began exploring the answer to these questions in 2012 at Carnegie Mellon University when Professor David Brumley and his graduate students, Thanassis Avgerinos and Alex Rebert, created Mayhem for Code (formally Mayhem) as an advanced fuzz testing solution. They sought out to tackle the problem of autonomously and continuously securing software at development speed without sacrificing code quality and scalability. Through the utilization of fuzzing or fuzz testing, they found that Mayhem for Code dramatically reduces the amount of manual effort involved in vulnerability management, saving time for development teams and their organizations.
Mayhem for Code was put to the test in 2016 at the DARPA Cyber Grand Challenge (CGC), the world’s first machine-only hacking competition. DARPA spent nearly $60 million on the two-year CGC program, with over 100 global teams participating in building autonomous systems that could attack and defend without human intervention. Mayhem for Code came out on top as the first fully autonomous cybersecurity system beating out 6 other top-tier teams from universities and security companies.
The need for continuous and autonomous security is not limited to the public sector. This was proven with Mayhem for Code’s DARPA CGC win. In May 2020, ForAllSecure was awarded a $45 million contract to deploy Mayhem for Code across branches of the Department of Defense. Since then, Mayhem for Code has been adopted by Air Force 96th Cyberspace Test Group, the Air Force 90th Cyberspace Operations Squadron, NAVSEA, and the U.S. Army Command, Control, Communication, Computers, Cyber, Intelligence, Surveillance, and Reconnaissance Center (C5ISR), just to name a few.
The Future is Fuzzing
One that separates ForAllSecure’s Mayhem for Code from its fellow “Best Enterprise Security Solution” finalists is its core technology. Mayhem uses fuzz testing combined with symbolic execution. Fuzzing or fuzz testing, as described by OWASP, is a Black Box software testing technique, which basically consists of finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. The purpose of fuzzing relies on the assumption that there are bugs within every program which are waiting to be discovered, says OWASP. Therefore, a systematic approach to code coverage should find them sooner or later.
But what makes fuzzing valuable? In our recent whitepaper Fuzz Testing ROI Framework, a review of software security investments reveals that a majority of spending is in application testing solutions, such as static analysis, software composition analysis (Checkmarx CxSCA), and scanners. These conventional testing approaches test known or common attack patterns; they only address known CVEs or CWEs, leaving the unknown vulnerabilities -- zero days -- undetected for attackers to exploit. Fuzzing maximizes defect detection with the least amount of time and resources. As a result, it not only buys organizations time and money, it also frees scarce technical resources from manual, mundane tasks and allows them to focus on strategic initiatives that require true expertise.
Want to Learn More About Fuzz Testing?
Tune in to FuzzCon TV to get the latest fuzzing takes directly from industry experts.
Fuzz testing is a proven security testing technique that has been around for over three decades and when paired with other technologies is a powerful tool for any organization’s application security toolbox. The team at ForAllSecure found that by combining fuzzing with symbolic execution -- a method for symbolically crawling through the code -- they were able to unleash the full potential of fuzz testing through Mayhem for Code, resulting in zero false positives and uncovering deep defects and vulnerabilities simultaneously.
To learn more about Mayhem for Code visit https://forallsecure.com/mayhem-for-code
Making History, Again...
In 2021, ForAllSecure released Mayhem for API, a way to fuzz test your APIs for performance, reliability, and security. To learn more about Mayhem for API visit https://forallsecure.com/mayhem-for-api
It has been a historic journey for us from winning the DARPA Cyber Grand Challenge, the first all machine hacking competition, to being exhibited in the Smithsonian National Museum of American History, then named to MIT Tech Review’s 50 Smartest Companies of 2017, and finally being chosen as a finalist at RSA’s 2020 Innovation Sandbox. Since 2012 we have stayed true to our mission of “Making the World’s Software Safe” and have proven that Mayhem for Code is here to stay and is a contender in the application security space revolutionizing continuous security testing.