Goal
The main goal of the service is to have true code integrated in the development toolchain so that fuzzing tests can be executed on a daily basis as part of the build cycle.
True code will be installed and configured, 2 to 3 fuzzing tests will be implemented in True Code and the results of those tests will be triaged together with the customer team.
As a secondary goal, the customer will be coached on how to create additional fuzzing tests with True Code, based on the example 2 to 3 tests that have been made by Riscure.
The following steps will be followed:
True code installation
Primarily done by the customer. The manual gives extensive guidance on how to install true code and also describes what the prerequisites are. At the start of the project we expect True Code to be installed on a workstation as well as on a server as in the end we want to integrate in the daily build cycle.
If during installation any issues occur, these are handled by CXT. Customer can create support tickets and will be helped based on his contract.
Configure and run True Code on one of the demo codebases
This will be done through an onboarding session organized by CXT after the installation has been done. From the customer we would expect the team that is going to work with True Cod to be present. At least the people that will configure True Code, but preferably also the devevelopment team that will need to work on the found issues
After this step we have confirmed that True Code is properly installed and that static checks, simulation and fuzzing can run on the demo code base. For this step we estimate a 4 hour session with the customer team
Import customer code base and create compile configuration for the customer code base
This will be a joined effort between CXT and the security analyst that will work with the customer to implement the fuzzing tests.
From the customer we expect to be present the people that will work on the True Code configuration. They will need to have knowledge of and access to the build process and build environment that the customer has since this knowledge is essential to make a robust configuration.
The time we need to spend is dependent on the size of the code base and the complexity of the build process. On average we would need to spend 1 to 2 days (with 2 persons) to get everything up and running and verify the configuration.
Create fuzzing tests
This would be done by a Riscure analyst. Activities:
From the customer the dev team is expected to be involved and someone on a more architectural/senior level to help identifying the relevant parts of the codebase from a security perspective
Educate the customer on how to build additional tests
This would be done by a Riscure securtity analyst. Based on the tests already created, 1 or 2 other parts of the codebase are chosen, and the analyst coaches the team on how to create fuzzing tests for those parts.
Integrate the tests in the daily builds on the server
This would be done by the customer assisted by CXT. The configuration and tests made in the project will be exported to the server environment and a command line script to control the tests from the daily build will be created. The script will be tested. Estimated time to export the configuration and create the script is 4 to 6 hours
From the customer side someone need to be part of this activity who has:
Aftercare
In the next 30 - 45 days , the analyst that guided the customer in creating the tests, coaching them and helping them triaging the first result, spend 2 separate days for additional consulting.