GitLab recently acquired two of the leading companies in the fuzz testing space - Peach Tech and Fuzzit! These two companies bring amazing technology into GitLab. Read on the learn more about the technology and how you can easily integrate fuzz testing into your workflow.
Fuzz testing is a powerful way to test your apps to find security issues and flaws in business logic that traditional QA methods miss. Fuzz testing works by passing randomly generated inputs to your app, and assesses the results.
When the app being tested crashes or behaves in an unexpected way, this is called a “fault.” When a fault is discovered, that means there is a way for a user to provide a similar, but potentially malicious, input to your app in a production environment to crash or exploit it. Discovering faults lets you track down bugs in your code that you wouldn’t find otherwise and lets you fix them before an attacker can exploit these weaknesses.
There are a few different methods for fuzz testing. The two primary methods are what we call “coverage-guided” fuzz testing and “behavioral” fuzz testing. Fuzzit and Peach Tech bring these to Gitlab, respectively. Both methods approach fuzz testing differently. Coverage-guided fuzz testing leverages the source code and instrumented versions of the app to be able to observe the app as it is running and dynamically make new tests during a fuzz testing session to exercise new parts of the app to find bugs. Behavioral fuzzing takes a specification of how the app is supposed to work and tries random inputs to test how it actually works - which usually will find bugs and security issues. Coverage-guided fuzzing and behavioral fuzzing have unique advantages and disadvantages, which is why GitLab aims to offer our users both options so you can choose the right one (or both!) for your use case.
Traditionally, fuzz testing has been difficult to set up and hard get results from. Some of the challenges with fuzz testing include assembling complex testing harnesses to run the fuzz tests and sorting through large amounts of results, including false positives. These challenges can make it time consuming and challenging to get meaningful results from fuzz testing. Bringing Peach Tech and Fuzzit fuzz testing techniques into the existing GitLab workflow means users can take advantage of the powerful benefits of fuzz testing without any of the traditional difficulties associated with fuzz testing. By bringing these two technologies into GitLab, we will make it easy for users to integrate fuzz testing into their workflows and present results in a meaningful and actionable way.
Preview of fuzz testing results in an MR.
GitLab will make fuzz testing part of our existing workflow so users do not need to use an external tool or interface. Instead, users simply include a CI job template to use the fuzz testing engines from Fuzzit and Peach Tech. Results will appear inline for developers, alongside the other build and test outputs they use today.
#testing #coding #gitlab
Learn more about fuzz testing and GitLab's recent acquisitions in the space.