True Code implementation and launch support for fuzzing

Goal

The main goal of the service is to have true code integrated in the development toolchain so that fuzzing tests can be executed on a daily basis as part of the build cycle. 

True code will be installed and configured, 2 to 3 fuzzing tests will be implemented in True Code and the results of those tests will be triaged together with the customer team. 

As a secondary goal, the customer will be coached on how to create additional fuzzing tests with True Code, based on the example 2 to 3 tests that have been made by Riscure.

 

The following steps will be followed:

 

True code installation

Primarily done by the customer. The manual gives extensive guidance on how to install true code and also describes what the prerequisites are. At the start of the project we expect True Code to be installed on a workstation as well as on a server as in the end we want to integrate in the daily build cycle. 

If during installation any issues occur, these are handled by CXT. Customer can create support tickets and will be helped based on his contract. 

 

Configure and run True Code on one of the demo codebases

This will be done through an onboarding session organized by CXT after the installation has been done. From the customer we would expect the team that is going to work with True Cod to be present. At least the people that will configure True Code, but preferably also the devevelopment team that will need to work on the found issues

After this step we have confirmed that True Code is properly installed and that static checks, simulation and fuzzing can run on the demo code base. For this step we estimate a 4 hour session with the customer team

 

Import customer code base and create compile configuration for the customer code base

 

This will be a joined effort between CXT and the security analyst that will work with the customer to implement the fuzzing tests. 

From the customer we expect to be present the people that will work on the True Code configuration. They will need to have knowledge of and access to the build process and build environment that the customer has since this knowledge is essential to make a robust configuration.

The time we need to spend is dependent on the size of the code base and the complexity of the build process. On average we would need to spend 1 to 2 days (with 2 persons) to get everything up and running and verify the configuration.   

 

Create fuzzing tests

This would be done by a Riscure analyst. Activities:

 

  • Decide on the parts of the code base for which fuzzing would be relevant
  • Create test harnesses within True Code for 2 to 3 tests
  • Create (function)stubs for the parts that cannot be executed
  • Run the tests 
  • Triage the results
  • Discuss results with the customer
  • Suggest mitigations
  • Rerun the tests to see the effect of the mitigations

From the customer the dev team is expected to be involved and someone on a more architectural/senior level to help identifying the relevant parts of the codebase from a security perspective

 

Educate the customer on how to build additional tests

 

This would be done by a Riscure securtity analyst. Based on the tests already created, 1 or 2 other parts of the codebase are chosen, and the analyst coaches the team on how to create fuzzing tests for those parts. 

Integrate the tests in the daily builds on the server

 

This would be done by the customer assisted by CXT. The configuration and tests made in the project will be exported to the server environment and a command line script to control the tests from the daily build will be created. The script will be tested. Estimated time to export the configuration and create the script is 4 to 6 hours

 

From the customer side someone need to be part of this activity who has:

  • Access to the server and build environment
  • Knowledge on the daily build process
  • Experience with scripting in this build environment

 

Aftercare

 

In the next 30 - 45 days , the analyst that guided the customer in creating the tests, coaching them and helping them triaging the first result, spend 2 separate days for additional consulting.