Download PDF - Codenomicon
Download PDF - Codenomicon
Download PDF - Codenomicon
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
11<br />
Fuzzing Best Practices<br />
Fuzzing can be used to test all software and software components<br />
with hardware, so you can use it to test all types<br />
applications, services and network equipment like routers,<br />
switches and servers, and also security software like antivirus<br />
and firewalls [6]. The cost of not fuzzing can be high.<br />
It can be costly, if an important network element is offline<br />
or services unavailable, never mind the consequences of an<br />
advanced cyber attack.<br />
As an acceptance condition<br />
Many vendors are in a hurry to push software onto the market,<br />
and often times it is the user who ends up doing the<br />
testing [12]. Actually, software products have the highest<br />
rate of defects of product sold today [12]. By insisting on<br />
using fuzzing as an acceptance condition, you can make<br />
vendors claim responsibility over the quality and security of<br />
their products [6]. A prominent US ISP already uses fuzzing<br />
as entry criteria for its network suppliers [7]. The <strong>Codenomicon</strong><br />
Defensics test suites automatically collect all important<br />
information on found vulnerabilities into a Remediation<br />
Package, which you can send to third parties for automated<br />
reproduction [23].<br />
During SDL<br />
Large software houses already include fuzzing as a part<br />
of their secure development lifecycles: Cisco’s CSDL, Microsoft’s<br />
SDLC and the Adobe Product lifecycles are good<br />
examples of this. Giants like IBM and Google also promote<br />
fuzzing [12]. The Microsoft secure development lifecycle<br />
(SDL) model endorses the use of fuzzing in the verification<br />
phase [24]. However, fuzzing can be used throughout the<br />
development process from the moment the first software<br />
components are ready to even after the release [24]. The<br />
earlier the vulnerabilities are found, the easier and cheaper<br />
it is to fix them [1]. Indeed, by building security into your<br />
software you can avoid costly, critical and embarrassing<br />
software blunders.<br />
During production<br />
In addition to fuzzing before development, the production<br />
environment should also be tested, because testing elements<br />
in isolation does not always reveal the same issues as<br />
testing a live environment [6]. However, this may disturb the<br />
tested system, because it is essentially simulating an attack<br />
against it [24]. Thus, it should only be done after extensive<br />
testing and in the presence of support personnel [24].<br />
Augmenting parameter security defenses<br />
During the lag time between threat discovery and signature<br />
deployment, the IDS (intrusion detection system) is<br />
unable to identify the threat [23]. Help your defenses block<br />
attacks exploiting zero-day vulnerabilities by using the extensive<br />
documentation that Defensics provides [23]. The<br />
test cases triggering vulnerabilities in your system are described<br />
clearly making it easy to write your own IDS rules<br />
[23]. The rules can be based on vulnerabilities found by running<br />
predefined Defensics tests, or testing around known<br />
vulnerabilities downloaded from third party vulnerability<br />
feeds [23]. You can also use Defensics to generate variations<br />
of the original attack and to test how well IDS/IPS systems<br />
and firewalls can detect and block both the original attack<br />
and variations of it [23].