The UK National Cyber Security Centre (NCSC) has recently published guidance for Vendor Security Assessment, which includes fuzzing as a key part of the ‘Security Testing’ topic. As the NCSC description says, this is all about “gathering objective, repeatable evidence on the security of the vendor’s processes and network equipment”. This adds to the existing use of fuzzing in the UK for critical infrastructure cybersecurity schemes such as CPA and CAPSS.
As with the US National Institute of Standards and Technology (NIST) document Guidelines on Minimum Standard for Developer Verification of Software it’s useful to see fuzz testing being identified as a vital technique in its own right rather than being listed as an example after more vague terms like ‘input validation’.
CyTAL’s view is this is exactly what’s needed. Our experience of seeing the benefits of fuzzing day in and day out continues to demonstrate that fuzz testing is one of the biggest bangs you can get for your buck. You can read more about our innovations in this area here.