Open Source Summit Europe 2022

Fuzzing is a testing technique that uses randomized inputs to find bugs in software. Fuzzing is the most successful automated vulnetability/bug-finding technique and has recently experienced an enormous growth in popularity. In this talk we will share our experience helping thousands of developers incorporate fuzzing into their software development lifecycle. We will walk though tools and techniques used to secure hundreds of open source projects, including: - libFuzzer and AFL++: Coverage-guided fuzzers that can be used for fuzzing code where source is available and binaries where the source code is not available. - ClusterFuzz and ClusterFuzzLite: Continuous Integration infrastructure that runs your fuzzers to catch bugs in your software before they affect users. - OSS-Fuzz: free service that fuzzes critical open source projects such as Curl and OpenSSL. OSS-Fuzz has found 40,000 bugs (9,000 security) in more than 500 open source projects. - Syzkaller and Syzbot: Kernel fuzzing tool and infrastructure providing much of the same functionality described above for the Linux kernel. Viewers of this talk will walk away with the knowledge to start improving the security of their applications and dependencies with this essential testing technique.