CI Fuzz CLI: Open-source tool simplifies fuzz testing for C++
Fuzz testing helps developers protect their applications against memory corruptions, crashes that cause downtime, and other security issues, including DoS and uncaught exceptions.
Code Intelligence has open-sourced a new security tool, CI Fuzz CLI, which lets developers run coverage-guided fuzz tests directly from the command line to find and fix vulnerabilities at scale.
Fuzz testing is gaining popularity in the open-source community. Google’s Open-Source-Security (OSS) team recently reported more than 40,500 bugs in 650 open-source projects have been detected through fuzz testing.
However, fuzz testing remains new to most developers outside the OSS and security community. A recent study among Go developers indicates that less than 12% of all participants use fuzz testing at work, citing a lack of understanding as well as challenges with implementation as key reasons for low adoption.
Easy fuzz testing
Code Intelligence’s new open-source tool aims to tackle these challenges by making fuzz testing usable for all developers. CI Fuzz CLI allows developers to run a fuzz test with only 3 commands.
“We wanted to reduce the complexity of using fuzz testing,” said Werner Krahe, Product Director of Code Intelligence: “Fuzzing should become as easy as unit testing. That’s why we wanted to build a tool that all developers could use right away, without having to spend too much time with the documentation and without having to be a proven expert in software security testing.”
CI Fuzz CLI integration
CI Fuzz CLI can be integrated into common build systems, integrated development environments (IDEs), and continuous integration/continuous delivery (CI/CD) tools. The first release comes with language support for C/C++ and CMake. Support will soon be extended to JVM-based programming languages, Golang and JavaScript.
“Usability was key in the development of the CI Fuzz CLI. It was important to us, that developers become able to run fuzz tests in their own development environment. That’s why we’ve made it possible to integrate the CI Fuzz CLI into common IDEs, such as Visual Studio Code and CLion. We also emphasized self-explanatory outputs and error messages. The tool provides you with full track traces for your findings and all the necessary information, to reproduce and fix the issues,” Krahe told Help Net Security.