{"id":75351,"date":"2018-01-03T09:00:15","date_gmt":"2018-01-03T17:00:15","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=75351"},"modified":"2023-05-15T22:58:23","modified_gmt":"2023-05-16T05:58:23","slug":"application-fuzzing-in-the-era-of-machine-learning-and-ai","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/01\/03\/application-fuzzing-in-the-era-of-machine-learning-and-ai\/","title":{"rendered":"Application fuzzing in the era of Machine Learning and AI"},"content":{"rendered":"

\"\"<\/p>\n

Proactively testing software for bugs is not new. The earliest examples date back to the 1950s with the term \u201cfuzzing.\u201d Fuzzing as we now refer to it is the injection of random inputs and commands into applications. It made its debut quite literally on a dark and stormy night in 1988<\/a>. Since then, application fuzzing has become a staple of the secure software development lifecycle (SDLC), and according to Gartner*, \u201csecurity testing is growing faster than any other security market, as AST solutions adapt to new development methodologies and increased application complexity.\u201d<\/p>\n

We believe there is good reason for this. The overall security risk profile of applications has grown in lockstep with accelerated software development and application complexity. Hackers are also aware of the increased vulnerabilities and, as the recent Equifax breach highlights, the application layer is highly targeted. Despite this, the security and development groups within organizations cannot find easy alignment to implement application fuzzing.<\/p>\n

While DevOps is transforming the speed at which applications are created, tested, and integrated with IT, that same efficiency hampers the ability to mitigate identified security risks and vulnerabilities, without impacting business priorities. This is exactly the promise that machine learning, artificial intelligence (AI), and the use of deep neural networks (DNN) are expected to deliver on in evolved software vulnerability testing.<\/p>\n

Most customers I talk to see AI as a natural next step given that most software testing for bugs and vulnerabilities is either manual or prone to false positives. With practically every security product claiming to be machine learning and AI-enabled, it can be hard to understand which offerings can deliver real value over current approaches.<\/p>\n

Adoption of the latest techniques for application security testing doesn\u2019t mean CISOs must become experts in machine learning. Companies like Microsoft are using the on-demand storage and computing power of the cloud, combined with experience in software development and data science, to build security vulnerability mitigation tools that embed this expertise in existing systems for developing, testing, and releasing code. It is important, however, to understand your existing environment, application inventory, and testing methodologies to capture tangible savings in cost and time. For many organizations, application testing relies on tools that use business logic and common coding techniques. These are notoriously error-prone and devoid of security expertise. For this latter reason, some firms turn to penetration testing experts and professional services. This can be a costly, manual approach to mitigation that lengthens software shipping cycles.<\/p>\n

Use cases<\/h2>\n

Modern application security testing that is continuous and integrated with DevOps and SecOps can be transformative for business agility and security risk management. Consider these key use cases and whether your organization has embedded application security testing for each:<\/p>\n