๐ A big thank you to our new sponsor, NexusTek! ๐
โฌ ๏ธ Can't Buy Me Lead Time ๐งญ Generative AI Thru This โก๏ธ
Fuzz Jam June
Music: The Lazy Eyes - Fuzz Jam (2022)
https://open.spotify.com/track/3Pk8ZaUsbzUt4UaCuBh9Mc?si=f64a44fe4c9a472f
This week we take a look at the growing importance of fuzzing[1] in platform engineering.
Getting Informed
Feedback from last week (thank you!) was positive on the format change to โWhat is Jay reading ๐โ. This week, Iโll once again expand reading ๐ and watching ๐บ. (no listening ๐ง this week)
๐ - These blog posts are great bite sized entry points for why fuzzing matters.
- First, ๐ Dapr recently completed a fuzzing audit for the Cloud Native Computing Foundation (CNCF).
- Second, the team at Code Intelligence makes the case for ๐ CI/CD Integrated Fuzzing.
๐บ - After the blog posts, these longer form videos are outstanding for getting into the details of fuzzing as well as the different perspectives and implications of an ever more cloud connected world forming the Internet of Stuff.
- First, The Open Web Application Security Project (OWASP) hosts Nancy Garichรฉ, Nikki Becher, and Aimee Reyes welcomes Allison Marie Naaktegeboren, to share a ๐บ discussion of fuzzing in depth and tasty memes! ๐ค
- Second, Jochen Hilgers goes into ๐บ the history of fuzzing, present day modern fuzzing, and the future of fuzzing with live fuzzer use kata.
I want it all to stay the same ๐ถ
So, does fuzzing come with an existing scanning toolchain? Does it matter that fuzzing be part of what code is being shipped?
Well, yes, yes it does. Are you getting the feeling weโve talked about this before?
Youโre not wrong.
https://fudge.org/archive/fudge-sunday-needle-in-a-fullstack
But, thereโs is also the notion of fuzzing the toolchain *itself*.
Donโt be afraid to say my name ๐ถ
Just consider the CNCF references to fuzzing and fuzz testing from 2018 to present:
- GSoC 2018: Extending Envoyโs fuzzing coverage (2018)
- Securing Open Source: Fuzzing integration, vulnerability analysis and bug fixing of Fluent Bit (2020)
- Introducing fuzz testing for Linkerd (2021)
- Argo Security Automation with OSS-Fuzz (2022)
- Flux Security: More confidence through Fuzzing (2022)
- etcd integrates continuous fuzzing (2022)
- Improving Security by Fuzzing the CNCF landscape (2022)
- Kubernetes Cluster API integrates continuous fuzzing (2022)
- containerd completes fuzzing audit(2023)
- The Notary project completes fuzzing security audit(2023)
- Crossplane completes fuzzing security audit (2023)
- Helm completes fuzzing security audit (2023)
- CNCF fuzzing open source projects for security and reliability (2023)
- Dapr completes fuzzing audit(2023 โ as seen above! ๐ค)
With my last 20 of 500 words, Iโll simply suggest that learning about Artificial Intelligence Fuzzing (AIF) is worthwhile.
So, what will be the next big thing for fuzzing in platform platform engineering?
Until thenโฆ Place your bets!
Disclosure
I am linking to my disclosure.
