CI Fuzz is a platform for automated security testing that aims to enable developers to ship secure software fast. The platform empowers development teams to automatically deploy continuous REST API security tests with each pull request. Since it enables the instrumentation of entire web service environments, CI Fuzz can create test inputs that are guided by code coverage. This enables it to uncover complex vulnerabilities and edge cases that other tools often overlook.
In the open-source project Jsoup, more than 19 bugs (CVE-2021-37714), including several DoS vulnerabilities were fixed thanks to CI Fuzz. The finding enabled users to avoid downtime by updating to the latest version of Jsoup
REST API Security for Enterprise
With a strong focus on usability and automation, the CI Fuzz platform enables you to run the majority of security tests yourself. One of the platform’s main benefits is that it enables you to integrate continuous security testing cycles early on in the development process. The platform can be configured to test the codebase with each pull request, or even at each code change.
The Technology Behind CI Fuzz
The testing approach used by CI Fuzz is based on feedback-based fuzzing. Feedback-based fuzzing, also called coverage-guided fuzzing, is a dynamic testing method that uses information about the internal structure of a program to maximize the code coverage of test inputs. The fuzzer receives feedback about the structure and endpoints of your application, which it then uses to craft inputs that specifically test APIs.
Bug Detectors Protect Against Unexpected Edge Cases
With CI Fuzz you can apply intelligent bug detectors and security checks to identify bugs and security vulnerabilities. These features enable you to identify problematic edge cases and vulnerabilities that are often missed by static testing solutions.
Minimal Manual Configuration Thanks to Autofuzz Mode
Since CI Fuzz is a cloud-based application security testing platform, that is readily available online. All you need to do is follow the instruction manual to instrument your API endpoints precisely and start your first fuzzing runs. With the new autofuzz mode, you will be able to automatically generate test harnesses.
CI Fuzz Runs In Your Development Environment
CI Fuzz is basically compatible with every IDE, Build System, and CI/CD pipeline. Integrating CI Fuzz into your infrastructure will enable you to test your codebase continuously, throughout the different stages of the software development life-cycle.
Debug REST APIs With a Few Clicks
Since CI Fuzz uses a dynamic testing approach, it can provide stack traces that enable you to easily reconstruct crashes. After a bug is found, the CI Fuzz debugging feature takes you directly to the affected part of your REST API, where you can set up your IDE with a test case and start fixing the bug.
Triage Bugs With Automated Bug Reporting
CI Fuzz automatically ranks security issues by their severity and presents them in a dashboard. There, you can keep track of code coverage, and bug findings and generate reports to share with your team.
Maximize Code Coverage
CI Fuzz is a white-box testing approach that automatically measures and improves code coverage. This allows testers to efficiently close in on problematic inputs that could cause web applications to crash, or leak information.