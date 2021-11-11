



Google has announced a new open source fuzzing project called ClusterFuzz Lite. It acts as a lightweight version of the existing Internet giant ClusterFuzz tool, which became open source almost three years ago.

Fuzzing testing, or commonly known as fuzzing, is an automated software testing technique that throws invalid or random data (fuzzing) into a computer program before deployment to see how it reacts. This helps developers find bugs and flaws that could be exploited by malicious attackers.

With the rise of software supply chain attacks, this sheds light on the role that open source software plays in business-critical applications and the inherent vulnerabilities contained in such software. Countless organizations, from government agencies to hospitals and businesses, have been hit. After a targeted software supply chain attack over the past year, US President Biden has issued an enforcement order outlining measures to counter these threats. In response, the National Institute of Standards and Technology (NIST) has published software validation guidelines. Fuzzing is included as part of the recommended minimum standard for software testing.

Get caught up in fuzz

In 2016, Google launched OSS-Fuzz. It combines a variety of fuzzing engines to provide continuous fuzzing for popular open source software projects as part of the Quality Assurance (QA) process. Shortly thereafter, Google began offering the OSS-Fuzzs ClusterFuzz backend as a free service, migrating to the open source ClusterFuzz itself in 2019.

Fast-forwarding to date, Google said more than 500 important open source projects have been integrated with the OSS-Fuzz program, identifying about 6,500 vulnerabilities and fixing 21,000 functional bugs.

ClusterFuzzLite offers many of the same features as ClusterFuzz, including continuous fuzzing, but is easy to set up as part of a developer’s continuous integration (CI) workflow and requires only a few lines of code. It’s essentially a simplified alternative. It’s all about fuzzing GitHub pull requests to catch bugs before committing to the main codebase and improve the security practices of all companies that depend on their software components.

According to a Google blog post, GitHub users can integrate ClusterFuzzLite into workflows and fuzz pull requests with just a few lines of code to catch bugs before committing them and enhance the overall security of the software supply chain.

At release, ClusterFuzzLite officially supports a small number of CI systems, including GitHub Actions and Google Cloud Build, but also supports Prow as part of its early beta. According to Google, ClusterFuzzLite is built with scalability in mind, making it even easier to add support for other CI systems.

