GitLab recently acquired two of the leading companies in the fuzz testing space - Peach Tech and Fuzzit! These two companies bring amazing technology into GitLab. Read on the learn more about the technology and how you can easily integrate fuzz testing into your workflow.
What is fuzz testing?
Fuzz testing is a powerful way to test your apps to find security issues and flaws in business logic that traditional QA methods miss. Fuzz testing works by passing randomly generated inputs to your app, and assesses the results.
When the app being tested crashes or behaves in an unexpected way, this is called a "fault." When a fault is discovered, that means there is a way for a user to provide a similar, but potentially malicious, input to your app in a production environment to crash or exploit it. Discovering faults lets you track down bugs in your code that you wouldn't find otherwise and lets you fix them before an attacker can exploit these weaknesses.
There are a few different methods for fuzz testing. The two primary methods are what we call "coverage-guided" fuzz testing and "behavioral" fuzz testing. Fuzzit and Peach Tech bring these to Gitlab, respectively. Both methods approach fuzz testing differently. Coverage-guided fuzz testing leverages the source code and instrumented versions of the app to be able to observe the app as it is running and dynamically make new tests during a fuzz testing session to exercise new parts of the app to find bugs. Behavioral fuzzing takes a specification of how the app is supposed to work and tries random inputs to test how it actually works - which usually will find bugs and security issues. Coverage-guided fuzzing and behavioral fuzzing have unique advantages and disadvantages, which is why GitLab aims to offer our users both options so you can choose the right one (or both!) for your use case.
What makes GitLab’s fuzz testing special?
Traditionally, fuzz testing has been difficult to set up and hard get results from. Some of the challenges with fuzz testing include assembling complex testing harnesses to run the fuzz tests and sorting through large amounts of results, including false positives. These challenges can make it time consuming and challenging to get meaningful results from fuzz testing. Bringing Peach Tech and Fuzzit fuzz testing techniques into the existing GitLab workflow means users can take advantage of the powerful benefits of fuzz testing without any of the traditional difficulties associated with fuzz testing. By bringing these two technologies into GitLab, we will make it easy for users to integrate fuzz testing into their workflows and present results in a meaningful and actionable way.
Preview of fuzz testing results in an MR.
GitLab will make fuzz testing part of our existing workflow so users do not need to use an external tool or interface. Instead, users simply include a CI job template to use the fuzz testing engines from Fuzzit and Peach Tech. Results will appear inline for developers, alongside the other build and test outputs they use today.
What about open source?
Open source is near and dear to our hearts at GitLab. We recently moved several features to our open source offering. We’ll continue supporting open source with fuzz testing as well. We have published several of our fuzz testing engines as open source, so they are accessible to any user and everyone can contribute. This will include several of the language-specific coverage-guided fuzz testing engines as well as Peach Tech Community Edition. In the future, we will consider what new fuzz testing pieces we can open source to the community as we build new capabilities for different use cases. One area we are considering is what we can do as we eventually move into protocol fuzz testing. Watch this space!
When can I get it?
GitLab will release the minimal version of fuzz testing later this year as part of GitLab Ultimate. This release will enable behavioral-guided fuzz testing of web APIs that follow the OpenAPI specification standard. We will also be enabling coverage-guided fuzz testing on apps written in a variety of languages, starting with Go.
GitLab is excited to add fuzz testing to the already large suite of application security scanners in GitLab’s Secure stage and make it part of the GitLab workflow that developers use already. This makes it easy to shift security left and take advantage of the benefits of fuzz testing.
As we mature our fuzz testing offering, we will make integrating fuzz testing results into new parts of the workflow a priority. So GitLab developers can directly view fuzz testing results and fix any issues they find. We will also focus on enabling advanced configuration options for users who want to customize their fuzz tests. Finally, we will be expanding fuzz testing to address additional use cases, beyond just web apps and APIs. You can read more about our plans for maturing fuzz testing on our direction page.