{"id":91863,"date":"2020-09-15T09:00:22","date_gmt":"2020-09-15T16:00:22","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=91863"},"modified":"2023-05-15T23:05:14","modified_gmt":"2023-05-16T06:05:14","slug":"microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/09\/15\/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs\/","title":{"rendered":"Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale"},"content":{"rendered":"

Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape. Earlier this year, we announced that we would replace the existing software testing experience known as Microsoft Security and Risk Detection with an automated, open-source tool as the industry moved toward this model. Today, we\u2019re excited to release this new tool called Project OneFuzz, an extensible fuzz testing framework for Azure. Available through GitHub<\/a> as an open-source tool, the testing framework used by Microsoft Edge, Windows, and teams across Microsoft is now available to developers around the world.<\/p>\n

Fuzz testing is a highly effective method for increasing the security and reliability of native code\u2014it is the gold standard for finding and removing costly, exploitable security flaws. Traditionally, fuzz testing has been a double-edged sword for developers: mandated by the software-development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute, and extract information from. That complexity required dedicated security engineering teams to build and operate fuzz testing capabilities making it very useful but expensive. Enabling developers to perform fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and simultaneously frees security engineering teams to pursue proactive work.<\/p>\n

Microsoft\u2019s goal of enabling developers to easily and continuously fuzz test their code prior to release is core to our mission of empowerment. The global release of Project OneFuzz is intended to help harden the platforms and tools that power our daily work and personal lives to make an attacker\u2019s job more difficult.<\/p>\n

Recent advancements in the compiler world, open-sourced in LLVM and pioneered by Google, have transformed the security engineering tasks involved in fuzz testing native code. What was once attached\u2014<\/em>at great expense\u2014can now be baked into continuous build systems through:<\/p>\n