SEARCH RESULTS
 
Showing 1-10 of 10 records
1
 
Expand article

Fuzz Testing at Microsoft and the Triage Process

2007-09-20 18:52:00 by sdl in The Security Development Lifecycle
 
...fuzzing, binary analysis and attack surface analysis tools Previously, James Whittaker posted a blog entry on Testing in the SDL in which he mentioned that many folks equate fuzz testing with security testing. While fuzz testing doesn't come close to describing how security testing is done at Microsoft it does happen to be one of our most...
 
Tags: chance exceptions, exceptions, exception handler, exception, divide-by-zero exception, exception code, triage process, process, first-chance exceptions
 
 
 
 
Expand article

Information flow tracing and software testing

2007-09-17 09:32:00 by Niels Provos in Google Online Security Blog
 
...fuzz testing. As previously discussed on this blog, Srinath's Lemon uses a form of smart fuzzing. Lemon is aware of classes of web application threats and the input families which trigger them, but not all fuzz testing frameworks have to be this complicated. Fuzz testing originally relied on purely random data, ignorant of specific threats...
 
Tags: input, flayer marks, initial input samples, flayer, fuzz, fuzz testers require, checks, dynamic analysis framework, sanity checks
 
 
 
 
Expand article

"Crawling" Toward SDL

2008-03-06 22:13:00 by sdl in The Security Development Lifecycle
 
...fuzz testing. This is likely something you will need to invest some time creating. Scott Lamberts article on Fuzz Testing at Microsoft and the Triage Process provides some good guidance on how to think through what type(s) of fuzzing to exercise against your application If you choose to expand beyond fuzz testing, I would point you back to...
 
Tags: sdl, security, perform security analysis, application security, application, applications security, security issues, issues, non-microsoft sdl engagements
 
 
 
 
Expand article

SDL Training

2008-05-29 15:22:00 by sdl in The Security Development Lifecycle
 
...fuzz testing, for example. The room smelled really nice after that, and there are probably still a few people around Microsoft who think of fuzz testing when they see a peach But even on my best day, I was under no illusion that the majority of the audience was excited to be there, and I was certain that they werent going to go back to their...
 
Tags: real behavior change, behavior, sdl, change peoples behavior, security, security guy, security defects, defects, security class
 
 
 
 
Expand article

Trip Report: PH-Neutral

The Article has images
2008-05-28 20:56:40 by Chris Eng in Zero in a bit
...fuzzing framework was also quite interesting. Peach 2 was released several months back but I havent really been paying much attention to it or any other fuzzing tool for some time. In fact the last time I really had to implement a protocol fuzzer, I was using SPIKE 2.9, so that gives you some indication of how long its been. Peach 2 includes...
 
Tags: talk, james atkinsons talk, flash, flash movies, recent flash 0day, befs talk, dingy club, conference, european security conference
 
 
 
 
Expand article

Automating web application security testing

2007-07-16 11:40:00 by Panayiotis Mavrommatis in Google Online Security Blog
 
...fuzzing tool called Lemon (deriving from the commonly-recognized name for a defective product). Fuzz testing (also referred to as fault-injection testing) is an automated testing approach based on supplying inputs that are designed to trigger and expose flaws in the application. Our vulnerability testing tool enumerates a web application's...
 
Tags: web application, application, input, input parameters, accepts user input, xss, xss vulnerabilities, security, security team check
 
 
 
 
Expand article

Auditing open source software

2007-10-08 16:13:00 by Panayiotis Mavrommatis in Google Online Security Blog
 
...fuzz testing, or preferably both). It is also important to watch for security updates for any decoding software you use, and keep patching up to date
 
Tags: image, malicious image file, libtiff image, values, jpeg image, tiff header values, source, evil tiff file, evil
 
 
 
 
Expand article

Oh No! Security Metrics!

2008-04-18 12:43:00 by sdl in The Security Development Lifecycle
 
...Fuzz testing (Net effect: implementation bugs found before shipping So, to answer Mr. Lindstrom's question Could it really be that SDL has done nothing to help MS developers write better code Without a doubt, the SDL has helped Microsoft developers write better and more secure code However, we are still faced with the question whether...
 
Tags: bugs, implementation bugs, fewer security bugs, fewer, security bugs include, security, metrics, security metrics, security bugs
 
 
 
 
Expand article

"Walking" with the SDL - Part 1

2008-07-18 16:55:00 by sdl in The Security Development Lifecycle
 
...fuzz testing capability 3. Results that show how the analysis resulted in improved security a. Response planning and response process in place b. Use bugs to gather evidence and show that your work improved security Think of these pieces as the gross motor skills you need to start walking. You should already be using these components and...
 
Tags: development, secure development practices, development culture, security development practices, sdl, security, security practices, perform security analysis, application security
 
 
 
 
Expand article

Walking with the SDL Part 2

2008-07-21 16:56:00 by sdl in The Security Development Lifecycle
 
...fuzz testing. Now that you are building a lifecycle, your goal for security training should expand. Security training should be about creating an environment where writing secure software is everyones mission. While security training should be undertaken with the goal of understanding security issues and how to address them, good training...
 
Tags: define security requirements, security requirements, requirements, security, security development lifecycle, development lifecycle, security pulse, perform security analysis, principles