PCSI OSSLS – A collaborative effort to deploy cost-effective fuzzing in software delivery pipelines


The Partnership for Cybersecurity Innovation (PCSI) is a public-private partnership among ABN AMRO, Achmea, ASML, Belastingdienst, ING, and TNO. PCSI partners work together on innovative cybersecurity solutions that can be used to protect Dutch companies and organizations against tomorrow's cyber-attacks.

PCSI-OSSLS (PCSI-OSSLS) is an innovation project addressing one of the urgent themes identified as: “increasing dependency on Open Source Software Libraries (OSSLs)”. Early stage discovery (shift-left) of exploitable vulnerabilities, reduces security risks in systems and applications. PCSI-OSSLS combines security testing with regular functional software testing to improve code quality with increased coverage, and thus also increasing the security of software applications against cyberattacks that leverage vulnerabilities in OSSLs.

Why our innovative solution?

Nowadays the use of OSSLs is a precondition for market competitiveness. This has created increased dependency on OSSLs and increased risk of cyberattacks.

Threat actors can leverage (or actively introduce) vulnerabilities in the source code of OSSLs that may be left unpatched. Threat actors can then break into systems using flaws in the OSSLs code and conduct espionage, exfiltrate data, steal passwords, escalate privileges, or infiltrate networks.

Cyberattacks can hinder business and operations considerably, by heavily impacting an organisation financially (costs), legally, and reputationally. As a way of mitigating risks introduced by the adoption of OSSLs, organizations can improve code quality and code security by of deploying effective software testing techniques.

PCSI-OSSLS delivers an innovative solution aimed at DevOps who regularly use OSSLs in their applications.

'Threat actors can leverage (or actively introduce) vulnerabilities in the source code of OSSLs that may be left unpatched.'

How are we developing our solution?

In PCSI-OSSLS we integrated automated software security testing techniques into existing development pipelines to help improve code quality and security, increase robustness and reliability of software applications and systems. PCSI-OSSLS uses advanced techniques such as fuzzing, that help discovering unknown vulnerabilities in software, thereby increasing reliability on OSSLs.

Along with popular software testing techniques such as SAST (static application security testing), SCA (software composition analysis) and IAST (interactive application security testing), we use fuzzing for security testing of open-source libraries as used by companies within their applications. Fuzzing provides a good overall picture of the quality of the target system and software. By using fuzzing, you can easily gauge the robustness and security risk posture of the system and software under test. One of the barriers to a larger-scale implementation of fuzzing is the costly human work needed in preparing specific code used for fuzzing tests called “harnesses”. In PCSI-OSSLS, we leverage the power of generative AI, to automatically generate these harnesses required for fuzzing, considerably reducing manual efforts and hence making the deployment of fuzzing in pipelines both more accessible and cost-effective.

In a current experiment a concept of artificial intelligence agents is used. The artificial intelligence agent hereby used to encapsulate and replace a human specific activity was a highly specialized component that uses a mixture of generative AI and traditional programming techniques.

Method:

  1. Code analysis agent analyses input from data structures and prepares specifications
  2. Fuzzy testing agent uses the results generated in the previous step as input to generate a fuzzing harness
  3. Another agent (not depicted in picture) is responsible for compilation, receiving feedback and fixing potential compilation errors. This is also the agent used for code coverage and quality

The final result is a chain of co-operating artificial intelligence agents which encapsulate and replace human activities by leveraging generative AI, to automate manual tasks, whilst traditional programming is then used to manage the entire agent internal logic and external communication.

Envisioned roadmap and future works

Experiments conducted so far involved small and simple libraries. Our main goal here was to keep the process automated which helped to easily incorporate into software delivery pipelines.

In the next phase, we plan to use bigger libraries and to fuzz entire business applications. The final step will be to automatically remove all unused functionalities from open-source libraries to reduce and limit the potential attack surface.

All data which is produced from the agents (as described above), will have significant impact on helping in securing applications thereby improving the security posture of any organization where (continuous) software delivery is relevant to (core) business continuity.

While developing our solution, we have gained a good understanding about an array of software testing techniques including fuzzing. These valuable lessons further help us to develop implementation guidelines, which can be used by organisations within their standing development pipelines. It is important to involve the right people and functions with each organisation at each stage, such as developers, testers, security experts, product owners, risk and change management experts. This will ensure a successful and thorough adoption of our solution.

We are looking into implementing our solution at different PCSI partners and beyond. This will give us further insights on how to overcome challenges when applying different software testing techniques within organisations for increasing security, resilience and robustness. From these lessons learnt, we will continue to update our implementation guidelines.

Finally, we intend to continue researching into areas such as use of generative AI for clustering of results as obtained from fuzz testing. This will further help in lowering barriers to include fuzzing into testing pipelines.

Contributors 
Swarna Kumarswamy-Das (TNO)
Krzysztof Parzyjagla (ING Group)
Jelena Georgijevic Krasojevic (ASML)
Ruggero Montalto (TNO)

Repost from One Magazine: One Magazine | PCSI OSSLS – A collaborative effort to deploy cost-effective fuzzing in software delivery pipelines (one-conference.nl)

Beeldmerk PCSI
PCSI is a collaboration of
    ABN-AMRO Achmea ASML Belastingdienst ING TNO