Microsoft has announced the release of Project Springfield, a fuzzing tool which helps customers find security bugs in software before the hackers do. According to the Redmond-based company, the service is designed to help developers find security vulnerabilities proactively. As a result, they don't need to undertake the costly effort of releasing a patch reactively. Instead they can focus on fortifying their software before hackers even get their hands on it. Patrice Godefroid, a principal researcher at Microsoft, feels it's important that customers attempt to close those vulnerabilities before a software's release. As quoted in a blog post published by the tech giant:
"Those are the bugs that hackers will try to use. The more we can find those bugs ourselves, the more we can fix them before we ship the software."
So how does it work? Like any fuzzing service, Project Springfield enables a customer to input massive amounts of data, called "fuzz," into a system in an attempt to make it crash. Doing so allows them to look for coding errors and security vulnerabilities. Microsoft, which "simplified" its update acquisition process earlier this year, says its service takes it one step further by deploying "white box fuzz testing," or the use of artificial intelligence that enables customers to conduct their tests under a set of specific "what if" questions. Such criteria allows for more targeted testing of certain kinds of coding errors. Once customers conduct their tests and find a flaw, they can report their bugs, fix them, and run the tests again to verify they have successfully resolved the issues.
The maker of Windows is confident Project Springfield will help customers improve their software's security. That's because the service incorporates SAGE, a component which helped Microsoft's engineers identify as many as one-third of the vulnerabilities in the Windows 7 operating system prior to its release in 2009.