What Applications Should Be Fuzz Tested?

Several factors indicate that an application is a good candidate for fuzz testing:

• The application is written in C or C++. These languages are non-memory safe (also called unmanaged.) As the developer must manage memory by hand, memory corruption bugs are inevitable. Such bugs are often very difficult to find using traditional unit testing; fuzzing can be a very effective means of finding them.
• Input from a file (or stdin) is processed.
• The program’s input is untrusted. If the input comes from an outside source (such as the internet), a hacker could send data which has been crafted to exploit a security vulnerability. This is also called “crossing the trust boundary.” There can be multiple instances of crossing the trust boundary in an application.
• New or changed code. There is always the possibility that new or modified code contains memory corruption bugs. As it is important to detect these as early as possible, automatically running a fuzz test as part of the continuous integration (build/test) cycle is good practice. This technique is called Continuous Fuzzing (or regression fuzzing.)

For information on Fuzz Stati0n’s cloud based continuous fuzz testing solution, please see our website.