Fuzz Jam June

July 2, 2023 by Jay Cuthrell

Share and discuss on LinkedIn or HN

Music: The Lazy Eyes - Fuzz Jam (2022)

This week we take a look at the growing importance of fuzzing^[1] in platform engineering.

Getting Informed

Feedback from last week (thank you!) was positive on the format change to “What is Jay reading 📖”. This week, I’ll once again expand reading 📖 and watching 📺. (no listening 🎧 this week)

📖 - These blog posts are great bite sized entry points for why fuzzing matters.

• First, 📖 Dapr recently completed a fuzzing audit for the Cloud Native Computing Foundation (CNCF).
• Second, the team at Code Intelligence makes the case for 📖 CI/CD Integrated Fuzzing.

📺 - After the blog posts, these longer form videos are outstanding for getting into the details of fuzzing as well as the different perspectives and implications of an ever more cloud connected world forming the Internet of Stuff.

• First, The Open Web Application Security Project (OWASP) hosts Nancy Gariché, Nikki Becher, and Aimee Reyes welcomes Allison Marie Naaktegeboren, to share a 📺 discussion of fuzzing in depth and tasty memes! 🤓
• Second, Jochen Hilgers goes into 📺 the history of fuzzing, present day modern fuzzing, and the future of fuzzing with live fuzzer use kata.

I want it all to stay the same 🎶

So, does fuzzing come with an existing scanning toolchain? Does it matter that fuzzing be part of what code is being shipped?

Well, yes, yes it does. Are you getting the feeling we’ve talked about this before?

You’re not wrong.

https://fudge.org/archive/fudge-sunday-needle-in-a-fullstack

But, there’s is also the notion of fuzzing the toolchain *itself*.

Don’t be afraid to say my name 🎶

Just consider the CNCF references to fuzzing and fuzz testing from 2018 to present:

• GSoC 2018: Extending Envoy’s fuzzing coverage (2018)
• Securing Open Source: Fuzzing integration, vulnerability analysis and bug fixing of Fluent Bit (2020)
• Introducing fuzz testing for Linkerd (2021)
• Argo Security Automation with OSS-Fuzz (2022)
• Flux Security: More confidence through Fuzzing (2022)
• etcd integrates continuous fuzzing (2022)
• Improving Security by Fuzzing the CNCF landscape (2022)
• Kubernetes Cluster API integrates continuous fuzzing (2022)
• containerd completes fuzzing audit(2023)
• The Notary project completes fuzzing security audit(2023)
• Crossplane completes fuzzing security audit (2023)
• Helm completes fuzzing security audit (2023)
• CNCF fuzzing open source projects for security and reliability (2023)
• Dapr completes fuzzing audit(2023 – as seen above! 🤓)

With my last 20 of 500 words, I’ll simply suggest that learning about Artificial Intelligence Fuzzing (AIF) is worthwhile.

So, what will be the next big thing for fuzzing in platform platform engineering?

Until then… Place your bets!

Disclosure

I am linking to my disclosure.

---

1. The OWASP® Foundation definition of fuzzing
   🤓 ↩︎

Topics:

✍️ 🤓 Edit on Github 🐙 ✍️

Share and discuss on LinkedIn or HN

• Get Fudge Sunday each week

  Enter your email