"The Codenomicon tools are amazing. Using them is like being attacked by the most relentless adversary who uses every possible method to find flaws in your code

We fixed subtle crash bugs in Samba that had been in the code for over ten years. We would never have found those bugs without the Codenomicon tools.

If you're serious about implementing protocols correctly, you need the Codenomicon tools."

-- Jeremy Allison,
   Co Creator of Samba



Fuzzing in Microsoft SDL Pro Network   pdf

Codenomicon - A Member of the Microsoft Security Development Lifecycle (SDL) Pro Network

Introduction
Overview of Fuzzing in SDL
Codenomicon Products and Services for SDL


Introduction

About SDL and SDL Pro Network

The Security Development Lifecycle (SDL) is the industry-leading software security assurance process created by Microsoft. The SDL Pro Network is a group of security consultants, training companies, and tool providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the SDL.

Overview on Fuzzing in the SDL

A common misconception about security is that it can achieved by adding security features to finished products. However, in order to be effective, security needs to be built into the product. Furthermore, the robustness of the product should be tested with extensive security assessment techniques such as fuzzing. Codenomicon's preemptive security and robustness testing solutions answer these challenges.

SDL Lifecycle

(click to view)

Codenomicon joins the Microsoft SDL Pro Network to assist development organizations in adopting automated and user controlled security testing (fuzzing) practices in their SDL, and also to embed both security and robustness into their software and development culture. Codenomicon's unique fuzzing technique combining intelligent, stateful and targeted tests was first deployed in 2001 and it has been constantly developed ever since. Intelligent, stateful and targeted tests reduce test execution times without compromising coverage, thus the tests can be incorporated into development processes to achieve efficient testing results. In addition, the same test environment can be utilized throughout organizations, and throughout the product lifecycle. For an overview on how fuzzing integrates into the SDL, see our whitepaper on the topic: Overview of Fuzzing in SDL.

Codenomicon specializes in fuzzing, and provides tools, training and consulting in this area of software security. Codenomicon is a spin-off of the widely acclaimed PROTOS project of the Oulu University Secure Programming Group, and the company continues to value academic research. All in all, Codenomicon has more than ten years of experience with the fuzzing methodology and various fuzzing technologies amounting to substantial expertise in the area. Codenomicon has helped its 100+ customers in integrating different forms of fuzzing into their varying software development processes. In addition, Codenomicon assists customers in developing their product security practices starting with risk-based testing approaches like fuzzing and then transferring this know-how into other approaches, such as static analysis. In addition, Codenomicon will assist you in implementing the SDL in your own product development environment and help you to develop more secure applications and to reduce the risks of malicious and costly attacks. For details on Codenomicon Products and Services for SDL, please see our brochure on the topic: Codenomicon Products and Services for SDL.

More information

For more information on the Microsoft SDL, please visit:

For general information regarding various types of fuzzers, see Buzz on Fuzzing white paper at:

For information on all Codenomicon Services:

For information on Codenomicon robustness testing (fuzzing) products:

Whatever the protocol interface or API you need tested, always ask Codenomicon first. Around 30% of the protocols in Codenomicon's 200 protocol product range are tailored test suites created for customers' proprietary interfaces, which are not listed in any product listings.

Contact details: