Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Fuzzing / 11 Jun 2020
GitLab / Fuzzing / 11 Jun 2020
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Secure: Fuzz Testing Update - GitLab acquires Peach Tech & Fuzzit

Description

Tune in to learn about an exciting update to the GitLab Secure Direction and our newest Fuzz Testing solutions!

Press Release: https://www.globenewswire.com/news-release/2020/06/11/2046908/0/en/GitLab-Acquires-Peach-Tech-and-Fuzzit-to-Expand-its-DevSecOps-Offering.html

Learn more about our plans on our fuzz testing direction page at https://about.gitlab.com/direction/secure/fuzz-testing/fuzz-testing

Give us feedback on our feedback issue at https://gitlab.com/gitlab-org/gitlab/-/issues/221137

A

Hello, everyone and thank you for watching our fuzz testing update as part of our secure stage. My name is David de Santo, director of product for the secure and defend stages here at gate, lab I'm.

B

Sam Kirk I'm, a principal product manager here at get lab focused on fuzz testing.

A

We wanted to give you a brief update as to where we are with secure and some exciting information that we're making available today, as a touch point here, get lab is a complete DevOps platform allowing you to have your application security testing built right in and, as you can see here today, we have a lot of categories that have been already released, including things such as SAST and DAST and dependency scanning.

A

When we talk about secure we're talking about helping you proactively, identifying vulnerabilities and weaknesses to reduce your overall risk and that's part of shifting your security left and again thank lose the category such as SAS that's dependency scanning, and recently we launched our vulnerability management module, which gives you nice dashboards and in pipeline reports, and things like that. We're not going to talk about defend today. That's our other stage as part of our security story here, but that's allowing people within their operation side to have security visibility.

A

When we talk about secure we're, focused on application security and by definition that includes things such as SAS task, sopra, composition, analysis and interactive analysis and inside that software composition, alysus, does include things such as dependency scanning and license compliance and items like that.

A

But ultimately, ast products are focused on helping you analyze and test your applications for vulnerabilities, and we have a goal this year at git lab to be considered an application security testing leader, and with that, we feel that the definition as since today is very traditional and we're actually extending that to include close testing and by doing that, we're extending that ast definition and allow you to test deeper and find more issues.

A

And with that we would like to announce today that we have acquired two companies buzz it and peach tech buzz. It is focused on coverage, guided fuzz testing, where you're able to have access to the source code and be able to fuzz individual functions fuzz. It has been a leader and continuous fuzz testing, where testing can be done on a regular basis to help get better code coverage. Peach Tech has been a leader for many years within the behavioral fuzz testing.

A

This is where your fuzzing against a live application or service and you're sending inputs and receiving the output to identify what component C to be fuzz next and with both companies being acquired. Gill lab is in a very unique position to be able to offer both sides of fuzz testing, giving our customers and our users a wide range of new security capabilities and help them find vulnerabilities before someone else does and with that, I would like to hand it over to Sam to go over post testing and our next steps all.

B

Right thanks David, so I wanted to talk a little bit about what fuzz testing is before. We start talking a lot more about the details and where collab is going to be going with it at a high level. Fuzz testing is all about providing your application, random or arbitrary sorts of inputs to see how it reacts in a lot of cases. When your application is given those types of inputs, it will crash or behave in some way. That is unexpected and these crashes are unexpected behaviors.

B

These are parts of your app that could potentially be exploited, or they are at least flaws in the business logic of your application, which you are going to want to resolve, and so, with that in mind, there are a couple different ways that fuzz testing can be done. Fuzzy and Peach both take different approaches that are very complimentary and by using both provide far better results than you would get by just using one by itself.

B

Fuzz, it is focused on coverage, guided fuzz testing, and what this means is is that fuzzy is using contextual information from the source code of the application itself. To understand how to better fuzz your applications using that context, in contrast, peach is doing what we call behavioral based fuzz testing, and what this approach is all about.

B

It uses the definitions of the types of inputs, whether that's an API specification or some other similar sort of document, to say that the application is expecting this, so that the fuzzer has more context on how to generate those sorts of inputs to identify those potential bugs or vulnerabilities.

B

What's really exciting about. Both of these approaches, though, is that we can leverage review applications so that you can do fuzz testing as part of your developers workflow before being before, pushing the application to production, and this is going to let you ship security, further left in those developers, lifecycle.

B

So if we look at our roadmap and we're get lab is going with this, we have a few milestones. I wanted to highlight for you our initial preview release of fuzz testing, we're going to be releasing later this summer, and this is gonna, be focused on coverage, guided fuzz testing for golang applications. This is going to be leveraging the fuzzy technology and we're really excited to be releasing it to the market and getting you to use it in fall of this year. We're going to be releasing fuzz testing.

B

What we call our minimal maturity level and what this release is going to be about is integrating the behavioral fuzz testing that peach tech provides focused on fuzzing of web api's, specifically around open api.

B

Additionally, we're going to be adding coverage, guided fuzz testing support for additional languages such as Python, Java, C and C++ in the beginning part of next year, we're going to be moving fuzz testing. What get lab calls or buyable maturity state and what that is going to involve, is using the behavioral guided fuzzing technology from peach in different places such as our dast scanning, so rather than using the SAP open source project that we use today we're going to be leveraging a lot of the new technology that peach brings.

B

Additionally, we're going to be offering support for coverage guide, fuzz testing for all the languages that get lab supports in addition to those ones that I mentioned earlier. We're also going to be working on making the workflows in the UI have more context to allow you a better experience using these fuzz testing products and further out in the future. Our future goals with fuzz testing include providing support for more advanced fuzz testing use cases, as well as providing protocol support for behavioral guided fuzzing, including for file fuzz testing.

B

This is an advanced use case which we're happy to support, but I did want to also highlight that fuzz testing is a really great set of technologies, but ast is much bigger than just fuzz. Testing Gilla lab secure offers multiple different types of scanning like sassed, container scanning and others, and all of these together allow you to accurately and continuously assess the security of your application before it's being pushed to production.

B

So you can identify and remediate issues sooner rather than later, but what's most exciting about this and the unique value that get lab is bringing with this approach is that all of these security techniques are woven throughout the lifecycle of your application and the way that your developers work on their daily basis. Developers are not being required to use an additional tool or go to some other third portal third-party portal. All of those security results are in context with the work that they're doing is part of their day.

B

Jobs anyways, and this is what's really exciting about git lab and the secure offering that we're offering, as well with the addition of fuzz testing with that. Thank you very much for your time. We're excited to get you to try fuzz testing and would love to hear from you about it.

A

You very much Sam for that great, deep dive and again since we're very excited to have peach and posit joining, get lab and stay tuned for lots. More exciting updates.