AI-powered application security testing: Get the buzz on the fuzz

It can help developers create quality software and uncover bugs that other tools cannot.  Over 1,000 companies have signed up to preview it.  It’s called Project Springfield and is creating quite a buzz on fuzz testing.  Read on to get the scoop.

What it is

First of all, fuzz testing, or fuzzing, is essentially a software testing technique where bad, unexpected, or random data is deliberately injected into an application to see what breaks.  Think of it as fuzzing up a program with various inputs to find errors in the software. Project Springfield is Microsoft’s fuzz testing service, built on the internal SAGE tool which was used to test Microsoft’s Windows 7 operating system.  The tool was so successful that Microsoft began to build on SAGE by adding several AI (artificial intelligence) features and hosting it in the Azure cloud. The resulting Springfield service is being marketed as a public Azure-based service designed to help catch ‘million-dollar’ bugs before launching, an all-too-common problem that can cost an organization upwards of a million dollars to release security patches that will repair their software.

How it works

1.  Basically you log into a secure web portal to install binaries (no source code or private symbols needed) on a virtual machine of the software to be tested, a ‘test driver’ program that runs the scenario to be tested, and a set of sample input files to use as a starting point for fuzzing.
2.  The service then uses multiple methods to continuously fuzz test.
3.  The service reports bugs via the web portal and grants access to test cases to reproduce the problem.
4.  You prioritize/fix bugs and then re-test to validate the fix.

Availability

Beginning last year, Springfield was available to select customers and partners as part of a special preview period.  Now, Microsoft is providing a link where any interested customers and partners can sign up and, if approved, gain free access to a preview of the new service.

It says a lot about a product when the organization that makes it also uses it.  In a recent blog post by Allison Linn, she mentions that Microsoft has been using the service on a smaller scale for years. Technologies within Project Springfield helped unearth a number of additional vulnerabilities on the already-tested but pre-launched Windows 7 operating system, which was arguably Microsoft’s most successful operating system to date.  In addition, according to Gavin Thomas, a principal security software engineering manager with the Microsoft Security Response Center, “It’s very simple to use – it’s ‘fire and forget.  You set it up and you walk away.”

Time will tell if the service is really that simple and delivers on its promises. If it does, I’d say it will be a big win for Microsoft AND the organizations using it.

Read more at https://www.microsoft.com/en-us/springfield/.