Vortrag: Effective and Usable Fuzzing of Java Applications
The complexity of modern software is constantly growing and, as a result, the overhead of effective testing is constantly increasing. Testing is key to guaranteeing the stability and security of software. Also, test automation is essential to the effectiveness, efficiency and coverage of testing efforts.
In the last few years, modern fuzzing has gained a lot of attention in both the industry and academia. Fuzzing is a testing automation method that continuously executes the application under test with unexpected inputs with the goal to trigger malicious behavior or to crash. It monitors the application at runtime and uses advanced techniques to automatically generate inputs exploring deep program states and trigger bugs. Currently, it’s by far the most effective testing method to uncover bugs automatically. For example, Google has found 30,000+ bugs in Chrome and 200+ open source projects using fuzzing making it the main testing method used by big players such as Google and Microsoft.
However, outside the tech leaders, fuzzing has not seen a wide adoption in the industry yet. The reason is that it requires a high level of expertise and still needs a lot of manual effort to set up and integrate. In this talk, we give an overview about fuzzing and show how to overcome the challenges using our fuzzing platform CI Fuzz in a live demonstration.
More specifically, we’ll cover the following topics:
- Overview about fuzzing
- Instrumenting JVM code for fuzzing
- Automatic fuzzing for web applications
- Integration in the development process
- Web application fuzzing and integration into the CI/CD