Coverage-guided fuzzers, like Jazzer, maximize the amount of executed code during fuzzing. This has proven to produce interesting findings deep inside the codebase. Only checking validation rules on the first application layer isn’t providing great benefits, whereas verifying logic in and interactions of deeply embedded components is. To extend the amount of covered code, the fuzzer tries to mutate its input in such a way that it passes existing checks and reaches yet unknown code paths.

Jazzer, our fuzzer for the JVM, is already being used with several JVM languages like Java and Kotlin. Recently, a member of the community asked us whether Jazzer can also fuzz Clojure code. The answer is yes, but it wasn't obvious how to set things up. So we've built a small helper library, jazzer-clj, which contains everything you need to get started with Jazzer for Clojure. There's also an example project to demonstrate the setup.

Application Programming Interface (APIs), allow services to communicate with each other. Naturally, applications that are interconnected through many APIs, require thorough security testing, as each connection could potentially include software vulnerabilities. Since there are different methods to test these junctions, I want to briefly discuss the benefits and weaknesses of the most commonly used API testing methods in this article.

To help contain the damages that arise from the log4j vulnerability, Code Intelligence collaborated with Google’s Open Source Security Team. Together, we implemented effective bug detectors for Remote Code Execution Vulnerabilities (RCEs) to Google’s open source fuzzing framework, OSS-Fuzz.

On December 9th, 2021, the Remote Code Execution (RCE) CVE-2021-44228 in Apache log4j 2 was published and started seeing active exploitation soon after. Since then, development teams have been working hard and tirelessly, trying to fix the issue to prevent (further) damage.

CI Fuzz is a platform for automated security testing that aims to enable developers to ship secure software fast. The platform empowers development teams to automatically deploy continuous REST API security tests with each pull request. Since it enables the instrumentation of entire web service environments, CI Fuzz can create test inputs that are guided by code coverage. This enables it to uncover complex vulnerabilities and edge cases that other tools often overlook.

For obvious reasons, civilian aerospace is steeped in safety regulations. Long-standing international governing bodies mandate and oversee the specification, design, and implementation of civil avionics such that failure conditions that could lead to safety hazards are identifiable, assessed, and mitigated.