The open source security tool CI Fuzz CLI now supports Java, according to Code Intelligence, the company behind the project.
Back in September, Code Intelligence announced CI Fuzz CLI, which lets developers run coverage-guided fuzz tests directly from the command line to find and fix functional bugs and security vulnerabilities at scale. CI Fuzz CLI can be integrated into common build systems such as Maven and Bazel; integrated development environments (IDEs), and continuous integration/continuous delivery (CI/CD) tools such as Jenkins. Initially, the tool supported C, C++, and CMake. The latest update, which includes the Junit integration, allows Java developers to run fuzz tests directly from the IDE.
Fuzz testing – or fuzzing – refers to when the tester throws a lot of data ("fuzz") against an application to see how the application reacts. Because the input data includes random and invalid inputs, developers can uncover issues which could result in memory corruptions, application crashes, and security issues such as denial-of-service and uncaught exceptions.
The latest guidelines for software verification from the National Institute of Standards and Technology includes fuzzing among the minimum standard requirements. Google recently reported more than 40,500 bugs in 650 open source projects have been uncovered through fuzz testing. The company launched OSS-Fuzz in 2016 in response to the Heartbleed vulnerability, a memory buffer overflow flaw that could have been detected by fuzz testing.
While fuzz testing is slowly gaining traction within the open source community, it is not yet widely used by developers outside open source and information security, Code Intelligence says. Part of that is because fuzzing is a specialized skill and many security teams don't have the knowledge and experience to use fuzz testing tools effectively. Code Intelligence says CI Fuzz CLI lowers the barrier to entry for fuzzing because the tool has only three commands. By allowing developers to run the tool from the command line or within the IDE makes fuzzing more accessible, the company says.
The fact that the tool integrates into the developer workflow means it can automatically fuzz the code whenever there is a new pull or merge request, the company says.
“Code Intelligence helps developers ship secure software by providing the necessary integrations to test their code at each pull request, without ever having to leave their favorite environment. It’s like having an automated security expert always by your side,” Thomas Dohmke, CEO of GitHub, said in a statement.