A review of Fuzz Testing results from various industries in 2016 showed the overall average time to first failure (TTFF) was 1.4 hours, meaning testers are taking less time to find vulnerabilities than in 2015 when it took an average of 1.7 hours to find fewer faults, Synopsys security researchers found.
The study also found a common protocol used in IoT devices, which are notorious for being plagued with vulnerabilities, was significantly more vulnerable than more mature protocols used by the online shopping and banking industries.
The most mature protocols tested in 2016 was TLS Client (Core IP), commonly used for secure web browsing in banking and online shopping, which had an average time to first failure (TTFF) of 9 hours.
A protocol commonly used in IoT and industrial control systems faired much worse as the least mature protocol was IEC-61850 MMS (ICS) which had an average TTFF for IEC-61850 MMS of 6.6 seconds, according to the State of Fuzzing Report.
Researchers said it is important that vendors start testing for unknowns that as IoT expands if they haven’t already because many of the firmware-based personal IoT systems may be hard or impossible to update post-release. In addition, researchers said Fuzz testing is finding new footholds in the IoT market, where applications are hard to crawl with traditional prerelease testing tools like DAST and face the same tampering threats as mobile applications
“I was surprised to see a high number of failures in a few commonly used protocols such as IPv4, IPv6, and Http,” Synopsys Security Strategist Robert Vamosi told SC Media. “More fuzz testing is needed to see that these are being implemented correctly,”
Vamosi went on to say the goal of the report was to help organizations see which protocols other firms in their space are testing and what the average time to first failure for those protocols might be so they can plan their fuzz testing accordingly. He went on to say developers should conduct more Fuzz testing in general to help ensure they release safer products.
“Developers should do more fuzz testing during their software development lifecycle, before releasing their software, to reduce the attack surface by mitigating failures early,” Vamosi said. “Additionally, enterprises should layer their network defenses as fuzz testing is just one component of what should be a larger vulnerability-management process.”
Researchers said there are fundamental problems associated with all of the protocols that they tested which are mainly not enough testing and that fuzzing of both software and firmware implementations of a protocol is strongly encouraged to ensure overall quality and security.