Based on information gained through studies like BSIMM, it appears that everyone does fuzzing today. Processes such as Microsoft's SDL have fuzzing as the key technique for zero-day vulnerability discovery in the verification phase of the software development. Also if you look at known vulnerability discoveries, you will find out that all hacker-discovered flaws are found using fuzzing. If you are fortunate enough to already be doing fuzzing, then have you ever thought about how well you are doing your fuzzing? Enter the area of security testing metrics! This presentation will give some dirty details of fuzzing techniques, test efficiency, and how to compare different fuzzing techniques. I will also look at metrics related to integration of fuzzing into product security processes. Traditionally, fuzzing has been a penetration testing technique for finding critical security problems in any type of communication software. Fuzzing feeds a program, device or system with malformed and unexpected input data in order to find critical crash-level defects. Today, next generation fuzzing methodologies are based on intelligent model-based testing where tests are both generated and executed automatically. Fuzzing metrics look at aspects such as test accuracy and test precision. The purpose is not only to find most of the flaws hiding in the software, but also to provide an estimate how many are left for later discovery. The presentation is loosely based on Ari's book on fuzzing, published by Artech House in 2008. London 20 & 21st May 2010, Westminster Conference Centre
