Connect with us

Hi, what are you looking for?


Google open-sources ClusterFuzzLite to secure the software supply chain

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Google has announced a new open source “fuzzing” project called ClusterFuzzLite, serving as a lighter-weight version of the internet giant’s existing ClusterFuzz tool, which it open-sourced nearly three years ago.

Fuzz testing, or “fuzzing” as it’s often called, is an automated software testing technique that involves throwing invalid or random data (“fuzz”) at a computer program before it’s deployed to see how it reacts. This can help developers find bugs and flaws that could otherwise be exploited by bad actors.

With software supply chain attacks on the increase, this has shone a light on the role that open source software plays in business-critical applications — and the inherent vulnerabilities such software contains. Countless organizations, from government agencies to hospitals and corporations, have been hit by targeted software supply chain attacks over the past year, leading U.S. President Biden to issue an executive order outlining measures to combat these threats. In response, the National Institute of Standards and Technology (NIST) issued guidelines for software verification, with fuzzing included as part of its recommended “minimum standards” for software testing.

Caught by the fuzz

Back in 2016, Google launched OSS-Fuzz, which combines various fuzzing engines to serve popular open source software projects with continuous fuzzing as part of their quality assurance (QA) processes. Shortly after, Google started offering OSS-Fuzz’s ClusterFuzz backend as a free service, and then went on to open-source ClusterFuzz itself in 2019.

Above: ClusterFuzzLite

Fast-forward to today, and Google said that more than 500 “critical” open source projects have integrated with the OSS-Fuzz program, which in turn has identified some 6,500 vulnerabilities and fixed 21,000 functional bugs.

Advertisement. Scroll to continue reading.

While ClusterFuzzLite offers many of the same features as ClusterFuzz such as continuous fuzzing, it’s essentially a stripped-down alternative that’s easier to set up as part of developers’ continuous integration (CI) workflows, requiring just a few lines of code. It’s all about fuzzing GitHub pull requests to catch bugs before they are committed to the main codebase and improve the security posture for all the companies that rely on that software component.

“With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed, enhancing the overall security of the software supply chain,” a Google blog post stated.

At launch, ClusterFuzzLite officially supports a handful of CI systems including GitHub Actions and Google Cloud Build, though it also supports Prow as part of an early-stage beta. Google said that given ClusterFuzzLite was built with extensibility in mind, it’s easy to add support for other CI systems further down the line.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Source link

Click to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.




Let the OSS Enterprise newsletter guide your open source journey! Sign up here. Google has announced a new open source “fuzzing” project called ClusterFuzzLite,...

Top Stories

Bitcoin (BTC) traded just below $65,000 on Nov. 11 after an overnight correction canceled out previous snap gains. BTC/USD 1-hour candle chart (Bitstamp). Source:...

Top Stories

The Joint Economic Committee, which includes Republican and Democratic members of both the U.S. House of Representatives and Senate, will be holding a hearing...

Online Business Success

— Reuters/File Gold prices in the local bullion market soared by Rs3,300 per tola to reach Rs129,100. The yellow metal has recorded an increase...

Top Stories

Subsquid, a query node framework for Substrate-based blockchains, announced Thursday that it has closed a $3.8-million seed round led by Hypersphere Ventures. The company...

Top Stories

In our latest in-depth video, Cointelegraph shares six key tips on how to increase your safety when investing in DeFi by identifying rug pulls...


The U.S. Department of Justice (DOJ) sentenced a Russian man for operating a large-scale digital advertising fraud scheme called ‘Methbot’ (‘3ve’) that stole at...

Top Stories

The Russian State Duma has created a working group that will tackle the complicated issue of forming regulations for the cryptocurrency mining industry. According...


You May Also Like

SEO Guide

Want to rank in Google image search? Images that you use as a featured images when writing a post actually appear on Google Images...


In this post, I will discuss the top ten profitable blogging niches ideas for Adsense approval and high traffic. whether you use Blogger or...

Online Business Success

Carrying Credit Card Debt Isn’t Just Bad for Your Budget. It May Also Affect Your Health. The stress of carrying card debt through adulthood...


Sonos is one of the most popular wireless speaker brands in the world, and for good reason – its range of portable Bluetooth speakers,...