Forget phishing for bank account passwords. The deepest threats to online security are the weaknesses in the fundamental protocols that run the Internet.

Fuzzing in Microsoft SDL Pro Network

Introduction
Overview of Fuzzing in SDL
Codenomicon Products and Services for SDL

Codenomicon Products and Services for SDL

Four Quick Steps To Integrating Fuzzing Into Your SDL

Codenomicon SDL Services: A full security audit of a product with a wide range of fuzzing tools and other security testing tools
Codenomicon SDL Services: Analysis of critical software API's and network interfaces
Codenomicon SDL Training: Security Testing and Fuzzing
Codenomicon Fuzzing Tools: IPv4, HTTP, XML and Traffic Capture Fuzzers

More detailed coverage of Codenomicon solutions for SDL is given below.

Fuzzing Products

Codenomicon is a security testing product vendor for wide range of fuzzing products. Fuzzing enables software testers, developers and auditors to easily find defects that can be triggered by malformed inputs via external interfaces. This means that fuzzing is able to cover the most exposed and critical attack surfaces in a system relatively well, and identify many common errors and potential vulnerabilities quickly and cost-effectively.

For general information regarding various types of fuzzers:

Buzz on Fuzzing white paper

For more information on Codenomicon robustness testing (fuzzing) products:

Defensics overview

Product categories for off-the-shelf fuzzing tools:

General purpose fuzzers:

Model-based protocol fuzzers:

Tailor-made fuzzing tools:

Whatever protocol interface or API you need tested, first ask Codenomicon. Around 30% of Codenomicon's 200 protocol wide product offering is tailored test suites for customer proprietary interfaces that are not listed in the product listings.

Fuzzing Services

Complete list of Codenomicon's service offerings

Examples of Codenomicon's SDL service offerings include:

Training

Codenomicon has provided training on product security, secure programming practices and security testing since 2001. We always tailor our trainings according to customer need. Examples of training courses we have provided:

Introduction to Product Security
Introduction to Secure Programming
Security Testing and Fuzzing

Requirements

Services on how to proactively integrate fuzzing into the requirements, for example in form of test plans and test specifications
Certification and compliance services, when fuzzing is a third party requirement

Design

Full analysis service of design documents for threat modeling and attack surface analysis, with later checks to verify they map with the real implementation.

Implementation

Consulting services on integration of fuzzing into unit testing, and developer frameworks
Tailored API and inter-module fuzzing tools and testing services

Verification

Analysis service of critical software API's and network interfaces
Fuzzing Tools and Services
- Custom suite development to customer's internal protocols, APIs and formats
- Test environment adaptation and integration services
- Reporting and bug tracker integration services
- Test laboratory management with collaboration services

Release

Response management collaboration environment services, set-up services, process definitions
A full security audit of a product with a wide range of fuzzing tools and other security testing tools