Ari Takanen, founder and CTO of Codenomicon, has since 1998 been focusing his work on information security issues in next-generation networks and security critical environments. His work at Codenomicon and the OUSPG (Oulu University Secure Programming Group) aims at ensuring that new technologies gain wide public acceptance, by providing means of measuring and solidifying the quality of networked software. Ari Takanen is one of the people behind the PROTOS research project, which studied information security and reliability errors in e.g. WAP, SNMP, LDAP, VoIP implementations. His company, Codenomicon Ltd. develops automated tools with a systematic approach for testing a multitude of interfaces on mission critical software, including but not limited to VoIP platforms, Internet routing infrastructure and 3G devices. Ari is the author of several papers on security, and is a frequent speaker at security and testing conferences, as well as leading universities and international corporations. He has co-authored a book on Voice over IP security (published by Addison-Wesley, 2007), and a book on fuzzing (Artech House, 2008).

 

 

New test automation techniques are needed when testing for the reliability and security of communication software. Fuzzing is a negative software testing method that feeds a program, device or system with malformed and unexpected input data in order to find critical crash-level defects. The tests are targeted at remote interfaces, and will focus on finding issues with invalid data elements, broken syntax of messages, but also unexpected message sequences. With this, fuzzing is able to cover the most exposed and critical attack surfaces in a system relatively well, and identify many common errors and potential vulnerabilities quickly and cost-effectively. The most recent advancements in model-based fuzzers have been in the area of XML fuzzing. XML is a structure that is today used everywhere from web applications to mission critical systems in SCADA and telecommunications. This presentation will explain what is new with XML fuzzing, and what types of inputs need to be tried when conducting a security analysis of any system depending on XML structures.