Book Description
Fuzzing is often described as a black boxsoftware testing technique. It works by automatically feeding a programmultiple input iterations in an attempt to trigger an internal errorindicative of a bug, and potentially crash it. Such program errors andcrashes are indicative of the existence of a security vulnerability,which can later be researched and fixed.
Fuzztesting is now making a transition from a hacker-grown tool to acommercial-grade product. There are many different types ofapplications that can be fuzzed, many different ways they can befuzzed, and a variety of different problems that can be uncovered.There are also problems that arise during fuzzing; when is enoughenough? These issues and many others are fully explored.
Learn How Fuzzing Finds Vulnerabilities
Eliminate buffer overflows, format strings and other potential flaws
Find Coverage of Available Fuzzing Tools
Complete coverage of open source and commercial tools and their uses
Build Your Own Fuzzer
Automate the process of vulnerability research by building your own tools
Understand How Fuzzing Works within the Development Process
Learn how fuzzing serves as a quality assurance tool for your own and third-party software
About the Author
Noam Rathaus is theco-founder and CTO of Beyond Security, a company specializing in thedevelopment of enterprise-wide security assessment technologies,vulnerability assessment-based SOCs (security operation centers) andrelated products. He holds an electrical engineering degree from BenGurion University, and has been checking the security of computersystems from the age of 13. Noam is also the editor-in-chief ofSecuriTeam.com, one of the largest vulnerability databases and securityportals on the Internet. He has contributed to several security-relatedopen-source projects including an active role in the Nessus securityscanner project. He has written over 150 security tests to the opensource tool's vulnerability database, and also developed the firstNessus client for the Windows operating system. Noam is apparently onthe hit list of several software giants after being responsible foruncovering security holes in products by vendors such as Microsoft,Macromedia, Trend Micro, and Palm. This keeps him on the run using hisNacra Catamaran, capable of speeds exceeding 14 knots for a quickgetaway. Gadi Evron works for the McLean, VA-based vulnerabilityassessment solution vendor Beyond Security as Security Evangelist andis the chief editor of the security portal SecuriTeam. He is a knownleader in the world of Internet security operations, especiallyregarding botnets and phishing. He is also the operations manager forthe Zeroday Emergency Response Team (ZERT) and a renowned expert oncorporate security and espionage threats. Previously, Gadi was InternetSecurity Operations Manager for the Israeli government and the managerand founder of the Israeli governments Computer Emergency Response Team(CERT).
A "fuzzer" is a program that attempts to discover security
vulnerabilities by sending random data to an application. If that
application crashes, then it has deffects to correct. Security
professionals and web developers can use fuzzing for software
testing--checking their own programs for problems--before hackers do it!
Open Source Fuzzing Tools is the first book to market that covers the
subject of black box testing using fuzzing techniques. Fuzzing has been
around fow a while, but is making a transition from hacker home-grown
tool to commercial-grade quality assurance product. Using fuzzing,
developers can find and eliminate buffer overflows and other software
vulnerabilities during the development process and before release.
* Fuzzing is a fast-growing field with increasing commercial interest (7
vendors unveiled fuzzing products last year).
* Vendors today are looking for solutions to the ever increasing threat
of vulnerabilities. Fuzzing looks for these vulnerabilities
automatically, before they are known, and eliminates them before
release.
* Software developers face an incresing demand to produce secure
applications---and they are looking for any information to help them do
that.
免費(fèi)注冊(cè)
發(fā)表于 2008-03-10 16:34
:wink:
