Fuzzing tool company launches initiative to secure open-source software

ForAllSecure, maker of a next-generation fuzzing solution called Mayhem, announced a $2 million program Wednesday aimed at making open-source software (OSS) more secure. The company is offering developers a free copy of Mayhem and will pay them $1,000 if they integrate the software into a qualified OSS GitHub project.

“We’re on a mission to automatically find and fix the world’s exploitable bugs before attackers can succeed,” David Brumley, CEO and co-founder of ForAllSecure, said in a statement.

“OSS developers need help and don’t have access to the tools they need to quickly and easily find vulnerabilities,” Brumley continued. “Our Mayhem Heroes program democratizes software security testing, will make tens of thousands of OSS projects safer, and ultimately impact the security of systems used by everyone around the world.”

According to ForAllSecure, Mayhem focuses on developer productivity by eliminating false positives found in other security testing solutions, improves testing for reliability, and prevents security regressions.

Finding new open-source vulnerabilities before attackers

Mayhem’s patented algorithms were pioneered at Carnegie Mellon University, and the software is the winner of the DARPA Cyber Grand Challenge, which was launched in 2014 to create automatic defensive systems capable of reasoning about flaws, formulating patches, and deploying them on a network in real time. “We were trying to teach machines to hack,” Brumley explains in an interview.

“If you look at the industry, there’s a lot of static analysis tools out there,” Brumley says. “Static analysis dates back to the 1970s. It was in the first generation of application security tools. It doesn’t work like actual attackers. It doesn’t show you how to exploit a system. It just highlights a line of code that it finds suspicious.”

What’s more, static tools find known vulnerabilities. “That’s not enough because you’re always behind your attackers,” Brumley says. “What Mayhem does is try to find new problems before attackers find them. It does what a human pen-tester does.”

Will humans allow machines to fix open-source exploits?

With the launch of the Heroes program, two versions of Mayhem—Mayhem for Code and Mayhem for API—will be available to developers free for personal use.

Although Mayhem can fix the exploits it discovers, there has been some resistance to letting it do so. “Using humans to find exploits is a problem, but they want to be in the loop for fixes, even if a machine can fix it,” Brumley says. “It’s going to be interesting if the market will accept handing over control of fixes to a machine.”