One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 4593799 |
| Date de publication | 2021-11-11 13:13:06 (vue: 2022-05-13 21:47:30) |
| Titre | ClusterFuzzLite: Continuous fuzzing for all |
| Texte | Posted by Jonathan Metzman, Google Open Source Security TeamIn recent years, continuous fuzzing has become an essential part of the software development lifecycle. By feeding unexpected or random data into a program, fuzzing catches bugs that would otherwise slip through the most thorough manual checks and provides coverage that would take staggering human effort to replicate. NIST's guidelines for software verification, recently released in response to the White House Executive Order on Improving the Nation's Cybersecurity, specify fuzzing among the minimum standard requirements for code verification.Today, we are excited to announce ClusterFuzzLite, a continuous fuzzing solution that runs as part of CI/CD workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed, enhancing the overall security of the software supply chain.Since its release in 2016, over 500 critical open source projects have integrated into Google's OSS-Fuzz program, resulting in over 6,500 vulnerabilities and 21,000 functional bugs being fixed. ClusterFuzzLite goes hand-in-hand with OSS-Fuzz, by catching regression bugs much earlier in the development process.Large projects including systemd and curl are already using ClusterFuzzLite during code review, with positive results. According to Daniel Stenberg, author of curl, “When the human reviewers nod and have approved the code and your static code analyzers and linters can't detect any more issues, fuzzing is what takes you to the next level of code maturity and robustness. OSS-Fuzz and ClusterFuzzLite help us maintain curl as a quality project, around the clock, every day and every commit.”With the release of ClusterFuzzLite, any project can integrate this essential testing standard and benefit from fuzzing. ClusterFuzzLite offers many of the same features as ClusterFuzz, such as continuous fuzzing, sanitizer support, corpus management, and coverage report generation. Most importantly, it's easy to set up and works with closed source projects, making ClusterFuzzLite a convenient option for any developer who wants to fuzz their software. |
| Envoyé | Oui |
| Condensat | google with 000 2016 500 access according actions adding all already among analyzers announce any approved are around author become before being benefit bonus bugs build build and built but can catch catches catching chain check checks ci/cd clock closed cloud clusterfuzz clusterfuzzlite clusterfuzzlite: code codebase commit committed contact continuous continuously contributing convenient corpus coverage critical curl currently cybersecurity daniel data day detect developer development documentation during earlier easy ecosystem effort enhancing enter essential ever every everyone excited executive extensibility faster feature features feedback feeding find finding fixed from functional fuzz fuzzing generation github goes google guidelines hand has have help house human idealized importantly improving including integrate integrated interested issues its jonathan just large learn level lifecycle lines linters longer maintain making management manual many maturity metzman mind minimum more most much must nation next nist nod offers open option order oss other otherwise out over overall part please positive posted preventing process program project projects provides prow pull quality questions random recent recently regression release released replicate report requests requirements response resulting results review reviewers robustness round runs same sanitizer secure security set since slip software solution source specify staggering standard static stenberg step straightforward such supply support supports system systemd systems take takes teamin testing than thorough those through today unexpected use users using verification vulnerabilities wants what white who workflow workflows works would years you your “when ”with |
| Tags | |
| Stories | Uber |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.