I’ve been looking at fuzzing tools lately and they really are the starting line for testing whether or not any system is secure. If your API/protocol/etc can’t stand up to a good old fashioned fuzzing then you need to do some serious work. Basic input validation and error handling is the first public indicator of a secure system, so fuzzing tools are very handy at identifying systems where even these basic concerns haven’t been addressed.
Because fuzzing attacks are easy and they can be automated system developers are at risk from every potentially malicious individual who has access to their systems. A well-developed system will pay proper attention to validating inputs and handling the errors associated with obviously bad inputs. Fuzzing is essentially an automated series of technical attacks on a system and the presence of errors indicates that certain situations have not been planned for. Poorly-developed systems won’t have these safeguards in place, and if they are lacking it can be expected that other protections against more sophisticated logical system attacks have been forgotten as well.
The dynamic web application scanners on the market today are essentially fuzzing tools with some extra logic for classifying errors found thrown in. Sprajax acts in exactly the same manner for AJAX-enabled applications. These tools are great for getting a initial look at whether or not a web application has the validation and error handling which should be a cornerstone of any solid development effort.
True system development security begins with risk assessment and threat modelling. But effective blind security testing begins with fuzzing.
dan _at_ denimgroup.com