An evaluation of free fuzzing tools
Vimpari, Mikko (2015-05-18)
Vimpari, Mikko
M. Vimpari
18.05.2015
© 2015 Mikko Vimpari. Tämä Kohde on tekijänoikeuden ja/tai lähioikeuksien suojaama. Voit käyttää Kohdetta käyttöösi sovellettavan tekijänoikeutta ja lähioikeuksia koskevan lainsäädännön sallimilla tavoilla. Muunlaista käyttöä varten tarvitset oikeudenhaltijoiden luvan.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:oulu-201505211594
https://urn.fi/URN:NBN:fi:oulu-201505211594
Tiivistelmä
With social media, online shopping and electronic currencies, and other novel applications, more and more of sensitive information is stored in, and transferred between different systems. The value of the information is high, and so is the need to protect the information.
At the same time startup-companies are formed at increasing pace, and they rush into publishing new software to the markets. Small companies, from one to a few developers in size, often don’t have vast resources to spread around, and there’s a risk that the new applications security aspects may be ignored. While most of the security is built into a software product during the design phase, at least the most obvious security flaws could maybe be caught by testing the application using proper security testing tools. The tools however cost money, and may be difficult to use. Are there free tools for security testing available, which can be used with little training? Can these tools be evaluated somehow?
First an exploratory research was performed to identify potential free tools to be evaluated. The research identified six tools: Radamsa, MiniFuzz, Burp Suite, JBroFuzz, w3af and ZAP. The tools were evaluated against each other using a qualitative research method, Choosing by Advantage (CBA). The CBA analysis was made based on criteria derived from the target users’ needs.
The analysis was able to identify differences between the tools, and present them as a list of advantages and disadvantages per tool. This list could then be used to select the best suited tool for the desired use case.
At the same time startup-companies are formed at increasing pace, and they rush into publishing new software to the markets. Small companies, from one to a few developers in size, often don’t have vast resources to spread around, and there’s a risk that the new applications security aspects may be ignored. While most of the security is built into a software product during the design phase, at least the most obvious security flaws could maybe be caught by testing the application using proper security testing tools. The tools however cost money, and may be difficult to use. Are there free tools for security testing available, which can be used with little training? Can these tools be evaluated somehow?
First an exploratory research was performed to identify potential free tools to be evaluated. The research identified six tools: Radamsa, MiniFuzz, Burp Suite, JBroFuzz, w3af and ZAP. The tools were evaluated against each other using a qualitative research method, Choosing by Advantage (CBA). The CBA analysis was made based on criteria derived from the target users’ needs.
The analysis was able to identify differences between the tools, and present them as a list of advantages and disadvantages per tool. This list could then be used to select the best suited tool for the desired use case.
Kokoelmat
- Avoin saatavuus [31995]