This content is part of the Conference Coverage: Microsoft Ignite 2017 conference coverage

New Microsoft fuzz testing service brings AI, automation to developers

Microsoft Security Risk Detection automatically tests application code for errors and vulnerabilities so developers can fix issues within an app before releasing it to users.

Microsoft's new fuzz testing service aims to help developers build more secure apps in less time.

Microsoft Security Risk Detection automates the time-consuming process of fuzz testing, which involves injecting data into an application's code to identify weak points. The cloud service, announced last week, uses artificial intelligence (AI) to detect errors and security vulnerabilities that developers might not have recognized.

"A lot of manual testing is done when building an app to see if [developers] can break the code to see if it's wrong," said Emmanuel Mathew, co-founder of Rattle Tech, a mobile app development service provider in Altadena, Calif. "But this automatically does that for you."

If developers fuzz test manually, they have to go through their code bit by bit and rely on their own security expertise to know what to look for. Automating this process is a big deal, said Josh Zelonis, senior analyst at Forrester Research in Cambridge, Mass.

"It solves a really big problem or challenge for people who are trying to use fuzzing to deal with larger code bases," he said. "It could help a lot of people."

Many development firms skip fuzz testing because it is so time-consuming, while others, such as Rattle Tech, outsource it to security firms.

"Security is the biggest part of any enterprise app," Mathew said. "No one wants to risk any user data or have any exposure."

How Microsoft's fuzz testing service works

The purpose of fuzz testing is to put an application through strain that it wouldn't normally deal with from a typical user. Developers purposely inject large amounts of data into an area of the code in an attempt to make the application crash. If the application crashes, the developer knows that part of the code has an issue that they should resolve.

It solves a really big problem or challenge for people who are trying to use fuzzing to deal with larger code bases.
Josh Zelonissenior analyst, Forrester Research

Microsoft Security Risk Detection works similarly to OSS-Fuzz, a beta tool Google announced late last year. The service inspects all of the code in an application, and its AI capabilities ask "what if" questions to identify possible weak points, Microsoft said. Once it recognizes these potential weakness, it begins fuzz testing by inserting "seed files" -- blank data used to try and crash the application -- into these areas of code. If the application crashes, the tool can decipher what was wrong with the code.

Microsoft Security Risk Detection reports any issues it finds to the developer in real time, and it also presents similar problems that other developers came across with in their apps and shows how they were fixed.

"It is able to go through your code and identify potential test cases to run against your code," Zelonis said. "Everything you learn about the app helps you optimize it."

Many different types of attacks take advantage of weaknesses in software code, including cross-site scripting attacks and SQL injections. For example, SQL injections take advantage of software not being able to decipher between legitimate inputs of code in an application and a bad input by an attacker.

IT pros can use it, too

Microsoft Security Risk Detection mainly targets developers who want to test their Windows and Linux applications before they go live, but IT professionals can use it as well to test third-party apps before deployment, Microsoft said.

Saint Michael's College in Colchester, Vt., doesn't do fuzz testing but does test every application for compatibility and functionality. Microsoft Security Risk Detection could be helpful for the school to do deeper security tests of applications, said Erik Lightbody, assistant director of technical services.

"I definitely see the value in it," Lightbody said. "It saves a lot of time and increases security."

Microsoft Security Risk Detection will be available later this summer as part of Microsoft Services, an offering of software and consulting assistance for organizations focused on digital transformation. Microsoft did not disclose pricing details.

Next Steps

How Microsoft integrated AI into more services

Why AI capabilities is where companies are expanding

How AI can partner up with EUC to bring better user experience

Dig Deeper on Network intrusion detection and prevention and malware removal