In the past year, the project has scanned 47 applications and has found over 1,000 vulnerabilities, with over a quarter of those being security vulnerabilities.
Developers running an open source project should definitely look to integrate into Google’s project. The code of the fuzz target, or the code being fuzzed for vulnerabilities, should be part of the project’s source code repository.
Developers also need to have seeds so that the fuzzing can be more efficient. Google recommends having a “minimal set of inputs that provides maximal code coverage.” Developers also need to be aware of what’s being fuzzed in their code, and the coverage of the fuzzers should be reviewed to validate that the application is being tested efficiently. Read the rest of my article at the link below:
*** This is a Security Bloggers Network syndicated blog from Frontline Sentinel authored by Matthew Pascucci. Read the original post at: http://feedproxy.google.com/~r/frontlinesentinel/qMCv/~3/WbQKGpWDNpU/how-can-oss-fuzz-and-other.html