This is the S4x13 lost episode. Somehow I erred in not processing and posting it, and only realized it while looking for similar sessions on vendor Security Development Lifecycle (SDL) successes and lessons learned. Apologies to Anthony and Akshay for my delay in posting.

Anthony Tang of OSIsoft and Akshay Aggarwal of DejaVu Security

Anthony Tang of OSIsoft was part of the team that used the Peach fuzzer as part of the SDL to find bugs in the PI Server and family of products. Steve Lipner of Microsoft gave a keynote at S4x08 and said that fuzzing and threat modeling were the two elements of their SDL that found the most bugs prior to release. Fortunately many ICS vendors have integrated fuzzing in to their development and QA processes.

Anthony goes into OSIsoft’s fuzzing efforts since 2005. He covers the technology and techniques used, but he also describes the failures or limited successes from fuzzing in the 2005-2011 time period. In 2011 OSIsoft created a fuzzing team and moved to what they call mature fuzzing.

Personal Comment – Early fuzzing efforts can be very educational for the development team to highlight problems. After that, it can be more efficient to implement coding standards and run new and key code through those standards prior to putting it through a “mature fuzzing” program.

We have a great session for S4x14 on putting legacy code through an SDL.