"The Codenomicon tools are amazing. Using them is like being attacked by the most relentless adversary who uses every possible method to find flaws in your code
We fixed subtle crash bugs in Samba that had been in the code for over ten years. We would never have found those bugs without the Codenomicon tools.
If you're serious about implementing protocols correctly, you need the Codenomicon tools."
-- Jeremy Allison,
Co Creator of Samba
Codenomicon Whitepaper
Building Secure Software using Fuzzing and Static Code Analysis
Anna-Maija Juuso and Ari Takanen
info@codenomicon.com
Codenomicon Ltd.
Abstract
The increased complexity of new technologies and faster software release cycles are making traditional reactive security solutions ineffective. Instead, more adaptable, preemptive product security testing is needed. Moreover, for example, due to agile development and outsourcing, the software development process itself is also becoming more complicated further increasing the need for more effective product security practices. The Building Security In Maturity Model (BSIMM) and Microsoft's Security Development Lifecycle (SDL) concept combine preemptive security testing with the SDLC models. Fuzzing and static code analysis are both a natural part of these secure development best practices, because they promote building security into systems proactively, instead protecting vulnerable systems and reacting to security issues. In this whitepaper, we describe how fuzzing and static code analysis can be used as complementary methods to ensure the security and robustness of your software.
