alex_aldo - Fotolia
How can OSS-Fuzz and other vulnerability scanners help developers?
Google's OSS-Fuzz is an open source vulnerability scanner. Expert Matthew Pascucci looks at how developers can take advantage of this tool and others like it.
Should developers take advantage of open source bug-finding tools, like Google's OSS-Fuzz? If so, how can they do that? What are some other useful tools that provide similar vulnerability scanning?
In December 2016, Google released its project, dubbed OSS-Fuzz, as an open source tool to fuzz applications for security and stability concerns. The tool doesn't scan every piece of open source software; in order to be accepted by OSS-Fuzz, an open source project must have a large following or be considered software that's critical to global infrastructure.
In the past year, the project has scanned 47 applications and has found over 1,000 vulnerabilities, with over a quarter of those being security vulnerabilities.
Developers running an open source project should definitely look to integrate into Google's project. The code of the fuzz target, or the code being fuzzed for vulnerabilities, should be part of the project's source code repository.
Developers also need to have seeds so that the fuzzing can be more efficient. Google recommends having a "minimal set of inputs that provides maximal code coverage." Developers also need to be aware of what's being fuzzed in their code, and the coverage of the fuzzers should be reviewed to validate that the application is being tested efficiently.
There are many open source tools available for developers to use within their coding practice, and a good start would be to review the Open Web Application Security Project (OWASP). This project was founded to create a third party that doesn't report to any particular vendor, and it creates best practices and security standards for developers to follow.
There are many open source tools used to help assist with finding vulnerabilities. OWASP also has experienced application security developers participating in the project to advance the state of application security. There are a few tools that OWASP has either developed or that it recommends, and you can find them on OWASP's website.
Another free tool to review from a vulnerability standpoint is Qualys's SSL Labs site. This site, powered by and developed by Qualys, shows the status of a website's SSL configuration. By entering a website's URL into the system, it performs an audit of the SSL configuration and reports back with a rating of the current site's SSL security. This isn't completely application based, but it plays a big part in securing the data in transit when accessing applications.
There are many vulnerability scanners, techniques and services that developers can use, and having vulnerability management as part of an application's secure development lifecycle is extremely important. The security of your applications is important, but creating a continuous monitoring program with vulnerability management is the most efficient and cost-saving option to secure your applications.
If you're not able to purchase tools or services to assist with vulnerability management, the OWASP project and tools like Google's OSS-Fuzz are good places to start for free. Security shouldn't always have to come with a big price tag.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)