Presentation is loading. Please wait.

Presentation is loading. Please wait.

MSDN Webcast - SDL Process. Agenda  Fuzzing & The SDL  Integration of fuzzing  Importance of fuzzing Michael Eddington Déjà vu Security

Published byAron Todd Modified over 9 years ago

Similar presentations

Presentation on theme: "MSDN Webcast - SDL Process. Agenda  Fuzzing & The SDL  Integration of fuzzing  Importance of fuzzing Michael Eddington Déjà vu Security"— Presentation transcript:

1 MSDN Webcast - SDL Process

2 Agenda  Fuzzing & The SDL  Integration of fuzzing  Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com

3 How Fuzzers Work (Dumb) 3

4 How Fuzzers Work (Smart) 4

5 All about the bugs!  …Or really Bug Cost…  Fuzzing is about finding bugs  Fuzzing is repeatable  Integrate into automated testing  Fuzzing *should* be easy on the wallet  Cost per Bug

6 What are we finding?  Bugs that cause crashes, access violations  Memory corruption  Overflows  Type issues  DOS issues  Memory consumption  Process Hangs

7 Who uses fuzzing?  Security researchers  Majority of publicly released bugs  Top software firms in there SDL  Microsoft  Adobe  Etc.

8 What is SDL?  Microsoft’s Secure Development Lifecycle  Integration of security into development life cycle  Microsoft uses SDL on all shipping products 8

9 SDL Phases  Requirements  Security Kickoff  Training  Design  Best practices  Threat modeling  Architecture review  Implementation  Use security dev tools  Best practices  Security tools built  Verification  Security response plan  Security push  Pen testing  Source review  Fuzzing  Release  Support & Servicing  Response execution  Security servicing 9

10 Fuzzing & SDL  Microsoft requires fuzzing on:  Non-executable file formats  Protocol stacks, RPC, DCOM, etc  Basically, any parser that operates on data that originates from a lesser privileged principal (trust boundary)  Fuzzing integrating into the Verification phase and the security push 10

11 Fuzzing & SDL  Deterministic fuzzing  Full run required  Non-deterministic “random” fuzzing  250,000 to 500,000 iterations with no new faults  No recommendation on minimum code coverage

12 Fuzzing & SDL  Complements other verification elements  Does not replace Penetration Testing  Does not replace Source Code Review  Long term repeatable process  Initial investment should be re-usable

13 Numerous Fuzzing Options Open SourceCommercial  Peach  Sully  Fuzzware  MiniFuzz  Etc.  beSTORM  Codenomicon  Mu Security

14 Open Source vs. Commercial Open SourceCommercial  Custom formats  Custom protocols  Zero upfront cost  Hidden costs  Developing models  Support/Training  Existing well known file format or network protocol  Graphics formats  Video formats  Common protocols  Upfront costs  $15K to $100K

15 Thanks! Michael Eddington Leviathan Security Group, inc. mike@dejavusecurity.com http://phed.org http://peachfuzzer.com http://dejavusecurity.com

Download ppt "MSDN Webcast - SDL Process. Agenda  Fuzzing & The SDL  Integration of fuzzing  Importance of fuzzing Michael Eddington Déjà vu Security"

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Fuzzing for logic and state issues

Fuzzing for logic and state issues
TestIstanbul Conferences 2012 Parallel Execution of Fuzzing Test Suites Study of maximum throughput, resource consumption and bottlenecks for fast-speed.

TestIstanbul Conferences 2012 Parallel Execution of Fuzzing Test Suites Study of maximum throughput, resource consumption and bottlenecks for fast-speed.
SDL in an Agile World MSSD-3 третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного.

SDL in an Agile World MSSD-3 третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного.
Windows NT server and workstation Name: Li Shen Course: COCS541 Instructor: Mort Anvari.

Windows NT server and workstation Name: Li Shen Course: COCS541 Instructor: Mort Anvari.
By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.

By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.

Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
Security Development Lifecycle Randy Guthrie Microsoft Developer Evangelist

Security Development Lifecycle Randy Guthrie Microsoft Developer Evangelist
2002-2003 2004 2005-2007 Now Bill Gates writes “Trustworthy Computing” memo early 2002 “Windows security push” for Windows Server 2003 Security push.

Now Bill Gates writes “Trustworthy Computing” memo early 2002 “Windows security push” for Windows Server 2003 Security push.
12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.

12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.
The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University

The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University
Copyright © Microsoft Corp 2006 Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication.

Copyright © Microsoft Corp 2006 Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
® Rational Power-Up Program © 2008 IBM Corporation IBM Rational’s Solutions to Ensure Quality Susann Ulrich –

® Rational Power-Up Program © 2008 IBM Corporation IBM Rational’s Solutions to Ensure Quality Susann Ulrich –
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
16/13/2015 3:30 AM6/13/2015 3:30 AM6/13/2015 3:30 AMIntroduction to Software Development What is a computer? A computer system contains: Central Processing.

16/13/2015 3:30 AM6/13/2015 3:30 AM6/13/2015 3:30 AMIntroduction to Software Development What is a computer? A computer system contains: Central Processing.
Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.

Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Similar presentations

Ads by Google