ForAllSecure, maker of a next-generation fuzzing solution called Mayhem, announced a $2 million program on Wednesday to make open source software (OSS) more secure. The company is giving developers a free copy of Mayhem and will pay them $1,000 if they integrate the software into a qualifying OSS GitHub project.
“We are on a mission to automatically find and fix exploitable bugs in the world before attackers succeed,” David Brumley, CEO and co-founder of ForAllSecure, said in a statement.
“OSS developers need help and don’t have access to the tools they need to find vulnerabilities quickly and easily,” Brumley continued. “Our heroes of chaos democratizes software security testing, makes tens of thousands of OSS projects more secure, and ultimately impacts the security of systems used by everyone in the world.”
According to ForAllSecure, Mayhem focuses on developer productivity by eliminating false positives found in other security testing solutions, improves reliability testing, and prevents security regressions.
Find new open source vulnerabilities before attackers
Mayhem’s patented algorithms were pioneered at Carnegie Mellon University, and the software is the winner of the DARPA Cyber Grand Challenge, which was launched in 2014 to create automatic defensive systems capable of reasoning about vulnerabilities, formulating patches and deploy them to a network in real time. weather. “We were trying to teach the machines to hack,” Brumley explains in an interview.
“If you look at the industry, there are lots of static analysis tools out there,” Brumley says. “Static analysis dates back to the 1970s. It was part of the first generation of application security tools. It doesn’t work like real attackers. It doesn’t show you how to exploit a system. It just highlights a line of code that it finds suspicious.”
Additionally, static tools find known vulnerabilities. “It’s not enough because you’re always behind your attackers,” Brumley said. “What Mayhem does is try to find new problems before attackers find them. It does what a human pen tester does.”
Will humans allow machines to fix open source exploits?
With the launch of the Heroes program, two versions of Mayhem – Mayhem for Code and Mayhem for API – will be available free to developers for personal use.
While Mayhem can fix exploits it discovers, there has been some resistance to letting it. “Using humans to find exploits is a problem, but they want to know about fixes, even if a machine can fix it,” Brumley says. “It will be interesting if the market agrees to hand over patch control to a machine.”
Copyright © 2022 IDG Communications, Inc.