On Tue, 13 Mar 2007, Gary McGraw wrote:
> In my opinion, though fuzz testing is certainly a useful technique (we've
> used it in hardware verification for years), any certification based solely
> on fuzz testing for security would be ludicrous. Fuzz testing is not a
> silver bullet.
Fuzzing is indeed, most definitely, not a or the silver bullet, nor should
testing be based on itsolely. What it does provide us with is a measurable
fashion by which we can reliably test the:
1. Stability
2. Programming quality
3. Robustness
Of software, to a level which is much higher than employing several
reverse engineers and test engineers (not to say just examining
vulnerability history on the bugtraq archive).
Further, if not by certification, fuzzing has already shown it can
pressure companies to use software development lifecycle methodologies and
that way enforcing (encouraging?) better security with "partners" (read
Microsoft).
Fuzzing has also shown that it can be used to force vendors who sell to
you to indeed be "tested" by certain products (read large
Telcos). Although I am unsure if this approach holds water.
The re-emergence of this field beyond rubber stamp certifications or very
costly certifications, is something I see as very positive.
That, of course, if not a or the sulver bullet in any way, either, but
maybe we will see less input validation bugs around and will start facing
logical flaws that will boggle our minds.
Personal opinion: enough with buffer overflows already, no? :)
> The biggest stumbling block for software certification is variability in
> final environment.
That makes sense, but I figure if we can eliminate some more by a factor
in our testing environment(s), all the better.
> gem
Gadi.
--
"beepbeep it, i leave work, stop reading sec lists and im still hearing
gadi"
- HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007.
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
