Tony Boswell today gave a presentation on the power of fuzzing at the International Common Criteria Conference (ICCC 2021). He talked about how to improve fuzzing requirements and how to leverage fuzzing evidence during assurance activities.
Such proven techniques add clarity and objectivity in an area that is notoriously difficult to specify. The principle aim being to better understand what fuzzing has really demonstrated about a target product – i.e. what has and has not been covered – and hence when a developer has done enough (or not) to meet a cybersecurity requirement.
All of this relies on us going deeper than the phrases we typically encounter, such as “input validation”, “communications robustness”, or even “fuzz testing”. Even more importantly, it offers practical ways to achieve continuous improvement by making the outputs from structured fuzzing more visible and useful.
Tony’s presentation built on CyTAL’s experience with using ProtoCrawler in cybersecurity evaluations over recent years (including the period before it was available to customers as a product). The presentation also addressed the various ways that developers can generate assurance evidence to be used as part of a successful product evaluation.
Click here for more details