Fuzzing provides many different types of valid and invalid input to software in an attempt to make it enter an unpredictable state or disclose confidential information. It works by automatically generating input values and feeding them to the software package. In this video, learn how developers and security professionals use fuzzing as a software testing technique.
- [Instructor] Fuzz testing, or fuzzing,…is a very important software security testing technique.…Fuzzing provides many different types of valid…and invalid input to software…in an attempt to make it enter an unpredictable state…or disclose confidential information.…It works by automatically generating input values…and feeding them to the software package.…Fuzzing can use different input sources.…The developer running the test…can supply a long or short list of input values.…
The developer running the test can write a script…that generates input values.…The fuzz testing software can generate input values randomly…or from a specification.…This is known as generation fuzzing.…Or the fuzz tester can analyze real input…and then modify those real values.…This is known as mutation fuzzing.…Let's take a look at an example of fuzz testing.…We'll use the Zed Application Proxy, or ZAP,…available for free from…the Open Web Application Security Project, OWASP.…
Here I am, inside ZAP.…I'm going to go ahead and use the ZAP Browser…
Looking for study partners?Join the CISSP Exam study group
Learn about security assessment and testing practices needed to prepare for the Certified Information Systems Security Professional (CISSP) exam. CISSP—the industry's gold standard certification—is necessary for many top jobs. This course helps you approach the exam with confidence by providing coverage of key topics, including threat assessment, log monitoring, and software testing. It also covers disaster recovery and security process assessment. Students who complete this course will be prepared to answer questions on the sixth CISSP exam domain: Security Assessment and Testing.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
Note: This course is part of a series releasing throughout 2018. A completed Learning Path of the series will be available once all the courses are released.
- Using security assessment tools
- Scanning for vulnerabilities
- Threat assessment techniques
- Performing penetration testing
- Reviewing monitor logs
- Performing code reviews
- Performing fuzz testing and misuse case testing
- Analyzing coverage
- Assessing disaster recovery sites and backups
- Testing BC/DR plans
- Collecting security process data and metrics
- Auditing and control management