Endpoint
10/6/2010
03:15 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Codenomicon Tools For High Speed Fuzzing

Vendor releases whitepaper reporting the findings of its performance test study

*OULU, FINLAND and CUPERTINO, CA, USA - October 6th, 2010 - *Codenomicon, a leading vendor of application security testing solutions, released a whitepaper today reporting the findings of its performance test study. The study, conducted to evaluate the suitability of the model-based fuzzing tools for high-speed software operability testing, revealed that the DEFENSICS(tm) fuzzers not only enable high-speed robustness testing, but also allow for fully scalable performance testing, when run on high-end hardware, such as the Dell(tm) PowerEdge R910 server.

"One of the most important aspects of fuzzing is how fast you can execute test cases", says Dr. Charlie Miller, principal analyst from Independent Security Evaluators. "The faster you can execute test cases, the more test cases you can run and the more vulnerabilities you will find."

According to Codenomicon, in high performance test setups, Codenomicon customers often chose to run their DEFENSICS software on Dell hardware. The tests conducted as a part of this study were also run on Dell hardware. Running DEFENSICS test tools on the Dell PowerEdge R910 platform generated more than 15.000 fuzz tests per second for the HTTP protocol running over TCP, and more than 40.000 tests per second for the DNS protocol running over UDP. The reliability and scalability of the Dell PowerEdge R910 server make it an excellent choice for software testing environments. It is also a cost effective solution for improving test throughput and result delivery.

*Increased performance decreases costs and improves reliability *

Negative software testing techniques like fuzzing use misuse cases to test software operability. Hundreds if not thousands of misuse cases need to be created for every software use case, which easily results in millions of test cases. This makes testing speed and performance crucial. Often test case generation and execution is limited by hardware resource constraints of the testing platform. DEFENSICS is a software-based solution and its performance can be scaled up simply by increasing the hardware resources. With modern state-of-the-art hardware, like the Dell PowerEdge R910 rack servers, the DEFENSICS test tools can generate thousands of sequences per second. The enhanced testing capabilities also allow for more complex anomalies to be used in security tests, which improve both test coverage and confidence in the results.

Codenomicon DEFENSICS supports more than 200 industry standard protocols. The DEFENSICS tools are designed for robustness testing, but the released study shows that they are also highly suitable for performance and load testing: by running DEFENSICS on off-the-shelf hardware high-speed tests can be conducted with only a fraction of the costs compared to tailored test appliances running on proprietary hardware. In addition, the model-based approach enables testers to also test extensions and usability with user-controlled test sequences and third-party plug-ins.

Contact Codenomicon for the latest optimal hardware configuration. For access to the full whitepaper, and more information on high-speed fuzzing, please visit: http://www.codenomicon.com/performance/

Contact Dell for more information on Dell PowerEdge servers. For more information on the R910 server, please visit: http://www.dell.com

For more information:

* Ari Takanen, CTO, Codenomicon * Tel: +358-40-5067678 (EMEA and APAC) * Tel: (408) 252-4000 (USA/Canada) * Email: info@codenomicon.com

*About Codenomicon Ltd* Codenomicon develops security and quality testing software, which allows users to quickly find and identify both known and previously unknown flaws before business-critical products or services are deployed. Their unique, targeted approach to the fuzz testing of networked and mobile applications exposes more flaws and weaknesses than any other testing platform or methodology. Companies rely on Codenomicon's solutions to mitigate threats, like Denial of Service (DoS) situations and Zero Day Attacks, which could increase liability, damage business reputation and cripple sales. Codenomicon is a member of the SDL Pro Network. For more information, visit www.codenomicon.com .

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web