Security Blog
The latest news and insights from Google on security and safety on the Internet
ClusterFuzzLite: Continuous fuzzing for all
11 de novembro de 2021
Posted by Jonathan Metzman, Google Open Source Security Team
In recent years,
continuous fuzzing
has become an essential part of the software development lifecycle. By feeding unexpected or random data into a program, fuzzing catches bugs that would otherwise slip through the most thorough manual checks and provides coverage that would take staggering human effort to replicate.
NIST’s guidelines for software verification
, recently released in response to the White House
Executive Order on Improving the Nation’s Cybersecurity
, specify fuzzing among the minimum standard requirements for code verification.
Today, we are excited to announce
ClusterFuzzLite
, a continuous fuzzing solution that runs as part of CI/CD workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed, enhancing the overall security of the software supply chain.
Since its release in 2016, over 500 critical open source projects have integrated into Google’s
OSS-Fuzz
program, resulting in over
6,500
vulnerabilities and
21,000
functional bugs being fixed. ClusterFuzzLite goes hand-in-hand with OSS-Fuzz, by catching regression bugs much earlier in the development process.
Large projects including
systemd
and
curl
are already using ClusterFuzzLite during code review, with positive results. According to Daniel Stenberg, author of curl, “When the human reviewers nod and have approved the code and your static code analyzers and linters can't detect any more issues, fuzzing is what takes you to the next level of code maturity and robustness. OSS-Fuzz and ClusterFuzzLite help us maintain curl as a quality project, around the clock, every day and every commit.”
With the release of ClusterFuzzLite, any project can integrate this essential testing standard and benefit from fuzzing. ClusterFuzzLite offers many of the same features as
ClusterFuzz
, such as continuous fuzzing, sanitizer support, corpus management, and coverage report generation. Most importantly, it’s easy to set up and works with closed source projects, making ClusterFuzzLite a convenient option for any developer who wants to fuzz their software.
With ClusterFuzzLite, fuzzing is no longer just an idealized "bonus" round of testing for those who have access to it, but a critical must-have step that everyone can use continuously on every software project. By finding and preventing bugs before they enter the codebase we can build a more secure software ecosystem.
To learn more, check out the
ClusterFuzzLite documentation
. ClusterFuzzLite currently supports
GitHub Actions
,
Google Cloud Build
and
Prow
. We built this with CI system extensibility in mind, and adding support for other CI systems is straightforward. Please
contact us
if you’re interested in contributing support, or have any questions, feedback or feature requests.
Nenhum comentário :
Postar um comentário
Marcadores
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2023
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2022
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2021
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2020
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2019
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2018
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2017
dez.
nov.
out.
set.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2016
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2015
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
jan.
2014
dez.
nov.
out.
set.
ago.
jul.
jun.
abr.
mar.
fev.
jan.
2013
dez.
nov.
out.
ago.
jun.
mai.
abr.
mar.
fev.
jan.
2012
dez.
set.
ago.
jun.
mai.
abr.
mar.
fev.
jan.
2011
dez.
nov.
out.
set.
ago.
jul.
jun.
mai.
abr.
mar.
fev.
2010
nov.
out.
set.
ago.
jul.
mai.
abr.
mar.
2009
nov.
out.
ago.
jul.
jun.
mar.
2008
dez.
nov.
out.
ago.
jul.
mai.
fev.
2007
nov.
out.
set.
jul.
jun.
mai.
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
Nenhum comentário :
Postar um comentário