If you're interested in more of the technical details of how a CRS (automatic bug finding system) works, I recommend watching this presentation from my colleague Artem Dinaburg.
"Making A Scalable Automated Hacking System"
* https://www.youtube.com/watch?v=pOuO5m1ljRI
* https://github.com/trailofbits/presentations/blob/master/Cyb...
You should also keep your eye on https://github.com/trailofbits -- we are releasing the final component of our CRS as open-source in a very short time. Manticore, our symbolic execution framework, will be up there soon! I'm happy to give you early access if you get in touch with me on Twitter.
I'm biased, but I would start with a fuzzer. Fuzzers have two key differences for your scenario that makes me lean towards them:
They provide the will to act. You mentioned the codebase is old and rotting, so a normal bug may not rise to enough attention to fix. Finding security bugs may give greater justification to undertake an effort to start maintaining it properly.
1 fuzzer exercises more than 1 test. I think you'll get more bang for your buck by integrating a fuzzer, whether it is libFuzzer, AFL, Radamsa, or anything else. Fuzzers are not targeted to a single unit and will, ideally, find bugs all over the place from a single, simple starting point.
That said, there are good arguments for diving into the codebase and writing tests too. In fact, writing tests may make your fuzzer more effective.
You only asked fuzzer vs tests, but I'd offer that you should update your build settings before fuzzing. New compilers have a lot more diagnostics than they used to. But then I'd set up libFuzzer or AFL.
> Is fuzzing something for me to improve code quality,
Is it C/C++ and does it include parsers? Then definitely yes. If not it depends.
> or are tests the lower hanging fruit?
Again: Is it C/C++? Then familiarize yourself with the sanitizer features of gcc and clang, primarily address sanitizer. Lots of "rotting" code shows memory safety errors just by running them with asan.
When experimenting with libFuzzer to test an audio processing library, I was impressed by the results and also the ease of setup. In-process fuzzing is really the best option for that use-case, which is why I chose libFuzzer over AFL.
An open-source alternative of Microsoft's SAGE/Springfield would be cool. I'm sure there are things to come with the efforts in CRS you mentioned.
Looking forward to where this goes and hope that your 2- and 5-year outlooks hold true.
We're working on one (!) and I hope we can offer it for free to non-commercial projects. For now, there is Microsoft Springfield [1] for Windows software and Google OSS-Fuzz [2] for open-source software. It is extraordinarily hard to not only get the tech for something like that working but bring it to market.
As noted in the video, nearly all the individual pieces of our CRS are open-source but you actually do not want a "CRS." The competition DARPA designed for them involved more than what is necessary to provide value to a development team, e.g., you don't want something that writes IDS signatures, considers "gameplay" or resource contention, or attempts to write automatic patches. You want something that accurately finds and reproduces bugs. We open-sourced the tools we wrote to do that or used tools that were already open-source, like Grr, Manticore, Radamsa, KLEE, and Z3.
[1] https://www.microsoft.com/en-us/springfield/
[2] https://github.com/google/oss-fuzz
That's good to hear. Hope you can find a way to monetize it for commercial projects.
Getting the tech right certainly seems to be a hard problem with Google's Konstantin Serebryany calling the symbolic execution route a rocket science. In my view the problem is coming up with a solid solution instead of just heuristics (as with all multi-approach methods: when to switch modes?) and making sure the tech is usable to test arbitrary complex pieces of software.
I realize answering my questions with the given broadly-defined tools may be the required manual expertise they refer to in the presentation. But I'm just looking for a foothold somewhere at the least.
https://portswigger.net/bappstore/showbappdetails.aspx?uuid=...
Burp Suite is planning on adding native support for continuous integration... integration in the second half of 2017.
If you're reading between the lines: there are _very few_ security testing tools that are built well. So you're asking the wrong question. You don't need a huge list. There are only a small handful of fuzzers or analysis tools I would recommend at all, and Burp is it for web testing.
Most projects out there are hobby projects from people trying to learn something new and ignoring what has already been done. They don't serve a very useful purpose other than as a learning or teaching tool.
We used tried and true basics for our CRS: Radamsa, KLEE, our own open-source binary lifter, and a Python symbolic execution framework built around Z3. Nothing new, or hip, or magic.
https://github.com/trailofbits/protofuzz
