I recently read Ari Takanen’s Fuzzing for Software Security Testing and Quality Assurance. This is a valuable book on fuzz testing, and timely.
- He really puts fuzzing in context. Fuzz testing has been around for a long time, and this book gives you the full historical perspective, as well as a modern view.
- Fuzz testing is important. When Gary McGraw and company did their Building Security In Maturity Model, one of the activities that virtually everyone did was fuzz testing. Clearly we need books like this to get everyone onboard.
- Although Ari is CTO of Codenomicon, a commercial fuzz testing tool vendor, the book is not a pitch for his tool. He actually gives lots and lots of information on a broad variety of tools, including free tools. It’s a complete and honest vision that is not overly promoting his company’s product.
- I learned a lot of fundamentals that make a difference to how I fuzz test things. For example, I now understand mutational versus generational fuzzers. They each have benefits and you probably want some of both for good coverage.
- I think he spends too much time talking about motherhood and apple pie security things. Things like security testing, risk analysis, code analysis, etc. There have been ample trees killed on these topics and I don’t think the treatment in this book really adds to that body of knowledge. I would have been happier with just some references to the rest of the world.
- The comparisons of commercial and free tools are intermixed with all this extra security discussion. So sometimes you have to read about security metrics or some other broad topic in order to find a specific example of a specific tool.
- The authors’ perspective is too much fuzzing über alles. They downplay the value of techniques like static code analysis and architecture risk analysis. Those techniques are complementary, not counter, to fuzz testing.
I like the book a lot and am glad I have it. I recommend it.