GitLab recently acquired two of the leading companies in the fuzz testing space - Peach Tech and
Fuzzit! These two companies bring amazing technology into GitLab. Read on the learn more about the technology and how you can easily integrate fuzz testing into your workflow.
What is fuzz testing?
Fuzz testing is a powerful way to test your apps to find security issues and
flaws in business logic that traditional QA methods miss. Fuzz testing works by passing
randomly generated inputs to your app, and assesses the results.
When the app being tested crashes or behaves in an unexpected way, this is
called a "fault." When a fault is discovered, that means there is a way for a user to provide a
similar, but potentially malicious, input to your app in a production environment to crash or
exploit it. Discovering faults lets you track down bugs in your code that
you wouldn't find otherwise and lets you fix them before an attacker can exploit these weaknesses.
There are a few different methods for fuzz testing. The two primary
methods are what we call "coverage-guided" fuzz testing and "behavioral"
fuzz testing. Fuzzit and Peach Tech bring these to Gitlab, respectively. Both methods approach fuzz testing differently.
Coverage-guided fuzz testing leverages the source code and instrumented versions
of the app to be able to observe the app as it is running and dynamically make
new tests during a fuzz testing session to exercise new parts of the app to find bugs. Behavioral fuzzing
takes a specification of how the app is supposed
to work and tries random inputs to test how it actually works - which usually
will find bugs and security issues. Coverage-guided fuzzing and behavioral fuzzing have unique
advantages and disadvantages, which is why GitLab aims to offer our users both options
so you can choose the right one (or both!) for your use case.
What makes GitLab’s fuzz testing special?
Traditionally, fuzz testing has been difficult to set up and hard get results from.
Some of the challenges with fuzz testing include assembling complex testing harnesses to run the fuzz tests and sorting through large amounts of results, including false positives. These challenges can make it time consuming and challenging to get meaningful results from fuzz testing.
Bringing Peach Tech and Fuzzit fuzz testing techniques into the existing GitLab
workflow means users can take advantage of the powerful benefits of fuzz
testing without any of the traditional difficulties associated with fuzz testing.
By bringing these two technologies into GitLab, we will make it easy for users to integrate fuzz testing into their workflows and present results in a meaningful and actionable way.
Preview of fuzz testing results in an MR.
GitLab will make fuzz testing part of our existing workflow
so users do not need to use an external tool or interface. Instead, users simply include
a CI job template to use the fuzz testing engines from Fuzzit and Peach Tech. Results will appear inline for developers, alongside the
other build and test outputs they use today.
What about open source?
Open source is near and dear to our hearts at GitLab. We recently moved several
features to
our open source offering. We’ll continue supporting open source
with fuzz testing as well. We have published several of our fuzz testing
engines as open source, so they are accessible to any user and everyone can contribute. This will
include several of the language-specific coverage-guided fuzz testing engines
as well as Peach Tech Community Edition. In the future, we will consider what
new fuzz testing pieces we can open source to the community as we build new
capabilities for different use cases. One area we are considering is what we
can do as we eventually move into protocol fuzz testing. Watch this space!
When can I get it?
GitLab will release the minimal version of fuzz testing later this year
as part of GitLab Ultimate. This release will enable behavioral-guided fuzz testing of
web APIs that follow the OpenAPI specification standard. We will also be
enabling coverage-guided fuzz testing on apps written in a variety of languages,
starting with Go.
What’s next?
GitLab is excited to add fuzz testing to the already large suite of
application security scanners in GitLab’s Secure stage
and make it part of
the GitLab workflow that developers use already. This makes it easy to shift security
left and take advantage of the benefits of fuzz testing.
As we mature our fuzz testing offering, we will make
integrating fuzz testing results into new parts of the workflow a priority. So GitLab developers
can directly view fuzz testing results and fix any issues they find. We will also focus on enabling advanced
configuration options for users who want to customize their fuzz tests.
Finally, we will be expanding fuzz testing to address
additional use cases, beyond just web apps and APIs. You can read more about
our plans for maturing fuzz testing on our direction page.
Cover image by Ian Baldwin on Unsplash