Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Fuzzing 101 / 29 Sep 2020
GitLab / Fuzzing 101 / 29 Sep 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Finding Bugs with Coverage Guided Fuzz Testing (DevSecOps)

Description

GitLab allows you to add coverage-guided fuzz testing to your pipelines. This helps you discover bugs and potential security issues that other QA processes may miss.

Coverage-guided fuzzing sends random inputs to an instrumented version of your application in an effort to cause unexpected behavior, such as a crash. Such behavior indicates a bug that you should address.

Follow @awkwardferny and @gitlab on twitter. 🐦
Getting Started with Coverage-Guided Fuzz-Testing: https://docs.gitlab.com/ee/user/application_security/coverage_fuzzing/
Sample Java Project: https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/java-fuzzing-example
Get in touch with Sales: http://bit.ly/2IygR7z

A

Hey my name is fernando and I'm a technical marketing manager here at get lab today, I'm going to show you fuzz testing and how it can benefit you, fuzz testing, automates, providing invalid, unexpected or random data as inputs to your application.

A

Individual functions of your application can also be fuzz tested in order to find vulnerabilities before the application is even complete.

A

The application is then monitored for errors, such as crashes, failing code, assertions or potential memory leaks, all which can cause security issues.

A

Here's a project set up with fuzz testing in order to enable fuzz testing. We add the coverage template to the gitlab ci yaml. We create a job to tell the fuzzer how to run on our application. Each buzzer is application specific and each programming language uses a different fuzzing library for more information. On this see the links in the description.

A

This is the file which contains the fuzzer. Here. Random data is passed to the parse complex.parse function, since this is a java application. It's set up using jqf for fuzz testing.

A

Fuzz testing helps you find issues or vulnerabilities that other qa processes may have missed by adding it to the cicd pipeline and running it on a feature branch. You can find these issues before they make their way to production. Gitlab makes it easy to add coverage, guided fuzz testing to your ci cd pipeline.

A

Once fuzz testing has been configured, the pipeline runs and gathers up the first testing results.

A

These results can be downloaded or directly. Viewed on your browser. Looking at the results of the fuzz testing job, we can see a few items. There is a json artifact which contains all the issues detected.

A

Then there's the corpus folder, which contains all the test cases from previous runs and then there's the crashes folder, which contains all the crashes from previous runs. The json artifact provides information on the issues detected by fuzz testing.

A

Here we see an index out of bounds issue which caused the application to crash.

A

This leads us to examine the code. The fuzzer calls you can see that the function checks if data.length is greater than 4, but it fails to check if data.length is less than 4, which would throw an out of bounds error.

A

This is something the developer missed, which fuzz testing detected thanks for watching for more information on fuzz testing and git lab see the links in the description be sure to subscribe here at gitlab. Everyone can contribute.