Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Development
    • Development

    Google Rolls Out Continuous Fuzzing Service for Open Source Software

    By
    Jaikumar Vijayan
    -
    December 3, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Open Source Testing

      Google has launched a new project for continuously testing open source software for security vulnerabilities.

      The company’s new OSS-Fuzz service is available in beta starting this week, but at least initially it will only be available for open source projects that have a very large user base or are critical to global IT infrastructure.

      Google developed the program over the past few years along with members of the Core Infrastructure Initiative, a Linux Foundation-organized effort focused on strengthening security within the open source community. Members include Amazon, Cisco, Google, HP, IBM and Fujitsu.

      The objective in launching OSS-Fuzz is to provide a continuous security fuzzing service for vital open source software, multiple Google engineers explained in the company’s Testing Blog this week. Eventually, the goal is to try and make security fuzzing a standard part of the open source development environment to ensure bugs are quickly identified and remediated.

      Fuzzing is a frequently used technique for uncovering coding errors and implementation bugs in a software product by barraging it with a large stream of random and malformed data to see if it will crash. Developers and testers often use fuzzing tools to uncover hard-to-find errors including buffer overflow errors, SQL injection and other issues quickly.

      “Open source software is the backbone of the many apps, sites, services and networked things that make up ‘the internet’,” the Google engineers said. “It is important that the open source foundation be stable, secure, and reliable, as cracks and weaknesses impact all who build on it.”

      Google’s OSS-Fuzz project will use multiple fuzzing engines and so-called Sanitizers or testing tools for C++ to run continuous security tests on open source projects. Initially, OSS-Fuzz will use the libFuzzer engine and a fast memory error detection tool called AddressSanitizer and run its fuzzing service using a massively distributed environment.

      Initial tests with the service have yielded positive results, according to Google. In early tests, OSS-Fuzz has already uncovered some 150 bugs in multiple open source projects many of which are widely used.

      Beyond saying that only large open source projects and those of critical infrastructure importance will be considered for OSS-Fuzz, Google has not offered any examples of the specific projects it will consider for inclusion initially.

      Projects that are signed up for the project will be automatically subject to Google’s 90-day disclosure deadline for any security flaws that are discovered in their software.

      The security and reliability of open source software has become an increasingly important issue for enterprises. In a survey of open source use among enterprises conducted by Black Duck software earlier this year more than 65 percent of the respondents reported that they relied on open source components to speed up development times while about 55 percent said they used open source software in production environments.

      At the same time, more than 50 percent of the companies in the survey said they had no formal policy for approving or selecting open source code while nearly the same number said they had no processes in place for tracking or controlling the use of open source software in their environment.

      Security analysts believe that the untrammeled use of open source software has significantly heightened security risks for organizations.

      Avatar
      Jaikumar Vijayan
      Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×