On February 12, 2021, ForAllSecure CEO Dr. David Brumley joined Cloudflare’s Head of Product Security, Evan Johnson, to discuss all things software security, fuzz testing, capture-the-flags (CTFs), and cybersecurity certifications.

Missed the episode? You’re in luck. A replay of the episode is available here: https://cloudflare.tv/event/42ZANWDPdZQeco5OqVyf32

We’ve also outlined below the top 3 takeaways from the episode.

Cloudflare leverages fuzzing to prove their security commitment to customers.

One of the challenges Johnson commonly faces is assuring customers on Cloudflare’s commitment to security. “How do you ensure that you’ll never get hacked”, “How will you ensure your privacy”, and “How do you ensure your availability” are just a few of the frequently asked questions Johnson fields. For these questions, he explains, you not only need an intelligent answer, but you also have to prove what you have in place to prevent the unforeseen from happening, whether it be security controls, compliance, or certifications. 

One of the most important and impactful security programs Cloudflare has put in place is adding fuzz testing into their product security strategy. “At Cloudflare, fuzzing is really really high on the hierarchy of needs”, Evan asserts. “Whether you’re in avionics, autonomous vehicles, or web infrastructure like Cloudflare -- where it’s necessary for availability to be high -- fuzzing is a necessary tool in the toolbox. Fuzzing happens close to the software, so it’s effective at finding bugs. It’s such a powerful part of our assurance argument to our customers, especially when we’re able to say and prove that we’re continuously testing our code with roughly 10 million test cases an hour.” 

There is a cost to doing nothing!

Johnson points out his love and support for a recent blog post ForAllSecure released on the cost of doing nothing. “I’m a big fan of the thought that there is a cost to doing nothing!” 

He has found himself pondering about what he can do as a security leader to encourage an attitude of doing more than nothing. He hypothesizes that because security doesn’t get reported into Wall Street the same way that financials or market opportunity does, it creates complacency. “Security doesn’t have the same sense of urgency as, say, sales teams closing deals or product and engineering teams shipping new features.” 

He believes that the world would be better off when implementing security programs no matter how big or small -- whether it’s to keep users safe and secure or to keep service availability continuous and robust -- is considered with the same level of urgency. It’s about reframing our attitude so that progress on an organization’s security posture is seen as equally valuable to business growth. He wants the world to know that doing more than nothing is meaningful, not another gripe to take to Twitter and perpetuate miserable attitudes.

We concur, Evan! It’s all about that growth mindset!

Fuzz testing is akin to bringing the most powerful pen testers in-house.

Brumley calls on his experience as a CMU CS professor and faculty advisor of the world's most  accomplished hacking team, PPP, to reveal that “professional hackers who find bugs for a living commonly rely on fuzzing.”

Johnson validates this observation. “They are very creative people, but also a lot of their time is spent fuzzing and finding where to employ their creativity. They find the crash and, from there, they leverage their creativity to figure out how to exploit it.”

Brumley expounds: “One of the people I admire is George Hotz. He was a CMU student and is a renowned hacker. I would ask him how he found zero-days. And, he’d say I would look for pieces of code that are complex and likely aren’t being tested. He wasn’t looking to understand the whole app, really just find out what’s untested, then fuzzing it.” Interestingly, this isn’t the first time this topic has come for ForAllSecure. We’ve written several blogs on the power of fuzz testing against untested code:

• Knowing the Unfuzzed and Finding Bugs with Coverage Analysis
• Uncovering Vulnerabilities in Open Source Libraries
• Why Fuzzing Works

The moral of the story? Fuzzing works and, if you’re not fuzzing, it’s going to be done for you -- whether is maliciously by nefarious actors, organically by your users, or proactively by you.

What else did you miss?

Johnson and Brumley cap the episode with entertaining and friendly banter with their thoughts on the value of security certifications -- whether it be Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), or others -- for career advancement. They also evaluate what’s more weighty: a Ph.D. in cybersecurity or an industry certification? As a professor and CEO, which would you bet Brumley fought for? A Ph.D. or certifications? And, what industry experience led Johnson to ensure his LinkedIn viewers are clear on the fact that he is “Not A CISSP”. For that, you’ll have to rewatch the episode yourself: https://cloudflare.tv/event/42ZANWDPdZQeco5OqVyf32

Looking for another dose of ForAllSecure and Cloudflare fireside chats on all things fuzzing and software security? We’ve got you covered! Check out FuzzCon TV, Episode IV: Fuzzing Instructure on the fuzzing thoughts bouncing around in the minds of executives and leaders from VMWare, Cloudflare, ExtraHop, and Roblox. Enjoy!