Google has unveiled a new open source initiative aimed at assisting software developers in quickly identifying vulnerabilities in their code in order to improve the security of the software supply chain. According to Google, GitHub users will now be able to integrate the tool, named as ClusterFuzzLite, into their workflow with just a few lines of code to fuzz pull requests and catch bugs before they are submitted.
As Google notes, continuous fuzzing has become an important component of the software development lifecycle in recent years, as it helps to detect defects and bugs in a more systematic nature.
In fact, fuzzing is listed as the minimal standard required for code verification in the latest US National Institute of Standards and Technology (NIST) recommendations for software verification, which were produced in response to the White House Executive Order on cybersecurity.
ClusterFuzzLite will be available as a part of Google’s OSS-Fuzz program, which has helped over 500 major open source projects to catch over 6,500 vulnerabilities and fix over 21,000 functional issues since its inception in 2016.
ClusterFuzzLite has already been incorporated into the code review process of well-known open source projects like systemd and curl.
Fuzzing is what gets you to the next level of code maturity and robustness after the human reviewers nod and approve the code and your static code analyzers and linters can’t find any more errors.” Curl’s author, Daniel Stenberg, says that OSS-Fuzz and ClusterFuzzLite “help us maintain curl as a quality project around the clock, every day, and every commit.”
ClusterFuzzLite now supports GitHub Actions and Google Cloud Build, but Google says the tool is extensible and may be used with other Continuous Integration (CI) systems with very little effort.