Open Source Fuzzing Tools

Product Details
  

• Paperback: 448 pages
• Publisher: Syngress (August 1, 2007)
• Language: English
• ISBN-10: 1597491950
• ISBN-13: 978-1597491952
• Product Dimensions: 9.1 x 7.5 x 0.7 inches

Book Description
Fuzzing is often described as a black boxsoftware testing technique. It works by automatically feeding a programmultiple input iterations in an attempt to trigger an internal errorindicative of a bug, and potentially crash it. Such program errors andcrashes are indicative of the existence of a security vulnerability,which can later be researched and fixed.

Fuzztesting is now making a transition from a hacker-grown tool to acommercial-grade product. There are many different types ofapplications that can be fuzzed, many different ways they can befuzzed, and a variety of different problems that can be uncovered.There are also problems that arise during fuzzing; when is enoughenough? These issues and many others are fully explored.

        Learn How Fuzzing Finds Vulnerabilities
Eliminate buffer overflows, format strings and other potential flaws
        Find Coverage of Available Fuzzing Tools
Complete coverage of open source and commercial tools and their uses
        Build Your Own Fuzzer
Automate the process of vulnerability research by building your own tools
        Understand How Fuzzing Works within the Development Process
Learn how fuzzing serves as a quality assurance tool for your own and third-party software   

      About the Author
Noam Rathaus is theco-founder and CTO of Beyond Security, a company specializing in thedevelopment of enterprise-wide security assessment technologies,vulnerability assessment-based SOCs (security operation centers) andrelated products. He holds an electrical engineering degree from BenGurion University, and has been checking the security of computersystems from the age of 13. Noam is also the editor-in-chief ofSecuriTeam.com, one of the largest vulnerability databases and securityportals on the Internet. He has contributed to several security-relatedopen-source projects including an active role in the Nessus securityscanner project. He has written over 150 security tests to the opensource tool's vulnerability database, and also developed the firstNessus client for the Windows operating system. Noam is apparently onthe hit list of several software giants after being responsible foruncovering security holes in products by vendors such as Microsoft,Macromedia, Trend Micro, and Palm. This keeps him on the run using hisNacra Catamaran, capable of speeds exceeding 14 knots for a quickgetaway. Gadi Evron works for the McLean, VA-based vulnerabilityassessment solution vendor Beyond Security as Security Evangelist andis the chief editor of the security portal SecuriTeam. He is a knownleader in the world of Internet security operations, especiallyregarding botnets and phishing. He is also the operations manager forthe Zeroday Emergency Response Team (ZERT) and a renowned expert oncorporate security and espionage threats. Previously, Gadi was InternetSecurity Operations Manager for the Israeli government and the managerand founder of the Israeli governments Computer Emergency Response Team(CERT).




A "fuzzer" is a program that attempts to discover security
   vulnerabilities by sending random data to an application. If that
   application crashes, then it has deffects to correct. Security
   professionals and web developers can use fuzzing for software
   testing--checking their own programs for problems--before hackers do it!
   
   
   Open Source Fuzzing Tools is the first book to market that covers the
   subject of black box testing using fuzzing techniques. Fuzzing has been
   around fow a while, but is making a transition from hacker home-grown
   tool to commercial-grade quality assurance product. Using fuzzing,
   developers can find and eliminate buffer overflows and other software
   vulnerabilities during the development process and before release.
   
   * Fuzzing is a fast-growing field with increasing commercial interest (7
   vendors unveiled fuzzing products last year).
   * Vendors today are looking for solutions to the ever increasing threat
   of vulnerabilities. Fuzzing looks for these vulnerabilities
   automatically, before they are known, and eliminates them before
   release.  
   * Software developers face an incresing demand to produce secure
   applications---and they are looking for any information to help them do
   that.