The CI Security Suite allows you to set up and continuously execute automated security and reliability tests by facilitating fuzzing technologies that were previously only available through hard-to-find security experts.
The configuration is done through an IDE plugin (we currently support Visual Studio Code with more integrations in the works) that guides the user through setting up a fuzzer. The user can interactively see which parts of the code were already reached by the fuzzer, supply additional input grammars for fuzzing structured data, and browse the issues found by the fuzz tests.
Once a fuzz target is ready, our Continuous Integration component takes over. Easily integrable into a standard CI workflow such as Jenkins, the fuzz tests are run automatically with each new code change. The backend also supports fuzzing on a Kubernetes cluster for unlimited scalability.
With the CI Security Suite, you can identify the following vulnerabilities, among others, and prevent damage before it occurs.
Fuzzing is a dynamic technique to discover abnormal behaviour (crashes, hangs, etc.) in software. The basic idea is simple: Provide an input to the program and report any crash. If it does not crash, repeat with a new random input, possibly derived from the last one. A fuzzer that does the input generation part really well is radamsa.
Then in 2016, american fuzzy lop (afl) improved fuzzing by considering the coverage, i.e. the traversed code paths during execution, in the generation of new inputs. Therefore, afl and other coverage-based fuzzers can discover far more parts of a program than “dumb” fuzzers.
The next major improvement in the realm of fuzzing came in the form of sanitizers that detect more types of errors than just crashes. The address sanitizer for example monitors memory access akin to valgrind (but a lot faster), while the thread sanitizer watches for race conditions between multiple threads. Running sanitizers with fuzzers was made even more practical with the advent of libfuzzer, a fuzzing engine baked into LLVM, due to smart handing of the large virtual memory requirements of the address sanitizer.
In short, the combination of coverage information with sanitizers is what we call modern fuzzing.
The CI Security Suite simplifies the setup and enables any company to benefit from these modern, sophisticated fuzzing technologies.
Want to know more?
Talk to our expert
The Code Intelligence experts help you to identify your fuzzing candidates and generate fuzz targets for you.
After the easy setup, continuous tests are running during the Software Development Process - after all changes. Our Security Tests become part of your Software Development Process including your CI/CD pipeline.
The vulnerabilities and crashes discovered during the testing are reported to the user by simplified and usable descriptions. Due to the efficient procedure we use, the number of false-positives is reduced to zero.
The CI Security Suite currently helps to avoid vulnerabilities in C/C++ projects. Further programming languages will be supported in future.
Talk to our IT-Security Experts to find out how our solution can help you to provide safe and reliable Software.Talk to expert