Do you perform input fuzzing as part of a regular process for your component or product’s inputs?

ID

esf_s3c_dev/fuzzing

Severity

low

Category

Levels

Optional

false

Tags

SSDF-PW.8.2, security, supply-chain, testing

Description

Do you perform input fuzzing as part of a regular process for your component or product’s inputs?

As part of the release readiness criteria a Fuzzing Test should be included.

Reference: ESF. Securing the Software Supply Chain: Recommended Practices for Developers - 2.1 Secure product criteria and management - Subsection Security test plans.

Rationale

Fuzzing should be performed on all software components during development to ensure that they exhibit expected behavior with different inputs. Results should be documented, and any anomalies or vulnerabilities should be addressed

Verification

This check tries to determine if the project uses fuzzing by checking:

  • if the repository name is included in the OSS-Fuzz project list;

  • if ClusterFuzzLite is deployed in the repository;

  • if there are user-defined language-specified fuzzing functions (currently only supports Go fuzzing) in the repository.

As fuzzers are more relevant for certain languages, the set of languages that should be considered by the check could be configured.

Remediation

  • Integrate the project with the chosen fuzzer.

Example: for OSS-Fuzz over GitHub follow the instructions here.

Small Print

There are many fuzzer tools and ways to run in the build and CI tools, and it is challenging for an automated tool to detect them all. A FAIL status is therefore not a definitive indication that the project is at risk.