Code Intelligence announced its open-source Command-Line Interface (CLI) tool, CI Fuzz CLI,
now allows Java developers to easily incorporate fuzz testing into
their existing JUnit setup in order to find functional bugs and security
vulnerabilities at scale. CI Fuzz CLI leverages genetic and
evolutionary algorithms as well as automated instrumentation to
dynamically generate millions of unusual inputs to test applications for
unexpected behaviors that may lead to crashes, Denial of Service (DoS)
or Zero-Day exploits.
Fuzz testing, which can be seen as a complementary approach to unit testing, is gaining popularity in the open-source community. Google's Open-Source-Security (OSS) team recently reported more than 40,500 bugs in 650 open source projects
have been detected through fuzz testing. However, fuzz testing remains
new to most developers outside the OSS and security community. A recent study
among Go developers indicates that less than 12% of all participants
use fuzz testing at work, citing a lack of understanding as well as
challenges with implementation as key reasons for low adoption.
Code Intelligence's new open-source tool aims to tackle these
challenges by making fuzz testing accessible and usable for all
developers directly from their command line or IDE. By introducing new
fuzzing capabilities for Java, CI Fuzz CLI enables continuous
application security testing directly in the CI/CD process. This is
especially valuable to companies with cloud-based products and services
who want to develop a mature DevSecOps pipeline.
"With the CI Fuzz CLI, Java developers can now improve the overall
security and robustness of their applications with confidence and ease.
It takes just three commands to set up and run a fuzz test. The tool
comes with ready-to-use integrations for Maven, Gradle and Bazel. With a
JUnit setup in place, developers can even run fuzz tests directly from
their IDE.", said Werner Krahe, Product Director at Code Intelligence.
"If you're completely new to fuzzing, I recommend starting with a simple
test setup. Use your pre-existing unit tests as a template to run local
fuzz tests on small libraries and utils. After a while, you could take
it further and apply it to more complex testing setups. Ultimately, fuzz
testing will provide the best results when running continuously in your
CI/CD."
"Code Intelligence helps developers ship secure software by providing
the necessary integrations to test their code at each pull request,
without ever having to leave their favorite environment. It's like
having an automated security expert always by your side," said Thomas
Dohmke, the CEO of GitHub.