By now everyone know how serious security bugs are. Organizations all over the world have unanimously reached the conclusion that it’s worth investing in order to prevent security issues. At the Ignite conference in Atlanta, Microsoft introduced a unique cloud-based fuzz testing service that finds security critical bugs in software. Project Springfield can help you quickly adopt practices and tech tested by Microsoft over the last 15 years.
Fuzz testing, originally developed by Barton Miller in 1988, is a testing technique that’s used to discover coding errors and security loopholes in software by inputting large amounts of data (fuzz) in an attempt to make the system crash. The software is then monitored for crashes, failing built-in code assertions, or memory leaks. This is an effective benefit-to-cost technique, but it has its shortcomings because it cannot provide a deep look into the logic of the code. But what if you combined this technique with another one? Using a combination of whiteboxing and fuzzing, Microsoft’s Project Springfield uses a testing technique called “whitebox fuzzing” to repeatedly run the code through fuzzing sessions.
How it works
As you would expect, the process is quite simple:
1. The customer logs into a secure web portal. Project Springfield provides a Virtual Machine (VM) for the customer on which to install the binaries of the software to be tested, along with a “test driver” program that runs the scenario to be tested, and a set of sample input files called “seed files” to use as a starting point for fuzzing.
2. Project Springfield will continuously fuzz test using multiple methods, including Microsoft whitebox fuzzing technology.
3. Project Springfield reports security vulnerabilities in real time on the secure web portal. Customers can download actionable test cases to reproduce the issue.
4. Customer can prioritize and fix bugs. Then re-test to ensure the effectiveness of the fix.
Whether you’re using Project Springfield to build software, buy software, or migrate your applications to the cloud, your products and actions should be safe.
So far, Project Springfield supports only Windows programs, with Linux fuzzing on the way. Learn more about Microsoft’s Project Springfield.
