Learn, hack!

URL

http://dewy.fem.tu-ilmenau.de/CCC/23C3/video/23C3-1758-en-fuzzing_corporate_world.m4v

File name

23C3-1758-en-fuzzing_corporate_world.m4v

File size

247.8 MB

MD5

9c4fccb680e0ef6b2f47da43b8bdc35d

SHA1

27f10bf28dec26581173c1dd7b47874b98ba26f4

We will discuss fuzzing uses by software vendors and in the corporate world, for security auditing ("fuzzing before release") and third party testing ("fuzzing before purchase"). We will look at what contributed to this change in the use of fuzzing tools from home-grown hacking tools to commercial products, as well as how these organizations implement fuzzing into their development cycle. Fuzzing has been used for a long time in the hacker scene. Mostly, these tools have been home-grown. In the recent year, several commercial fuzzing tools appeared. These in turn are now utilized by organizations in the development cycle under the moto of "fuzzing before release", or "find the vulnerability before hackers do". Another interesting and somewhat unexpected development in the field is that end-clients are the largest consumers of advanced fuzzing technology, performing tests on software before purchase. Further, some large telcos and financial institutions now demand for products to be certified (even if not by an official seal) by fuzzing products which they authorize. Is fuzzing finally a solution to reduce vulnerabilities in products rather than just later discover them? How is it used by these corporations and third-party organizations? Some methodologies as well as examples will be presented, and we will also try to look into what the future holds.