Fuzzing tool company launches initiative secure open-source software

ForAllSecure, maker of a next-generation fuzzing solution called Mayhem, announced a $2 million program Wednesday aimed at making open-source software (OSS) more secure. The company is offering developers a free copy of Mayhem and will pay them $1,000 if they integrate the software into a qualified OSS GitHub project.

“We’re on a mission to automatically find and fix the world’s exploitable bugs before attackers can succeed,” David Brumley, CEO and co-founder of ForAllSecure, said in a statement.

“OSS developers need help and don’t have access to the tools they need to quickly and easily find vulnerabilities,” Brumley continued. “Our Mayhem Heroes program democratizes software security testing, will make tens of thousands of OSS projects safer, and ultimately impact the security of systems used by everyone around the world.”

According to ForAllSecure, Mayhem focuses on developer productivity by eliminating false positives found in other security testing solutions, improves testing for reliability, and prevents security regressions.

Finding new open-source vulnerabilities before attackers

Mayhem’s patented algorithms were pioneered at Carnegie Mellon University, and the software is the winner of the DARPA Cyber Grand Challenge, which was launched in 2014 to create automatic defensive systems capable of reasoning about flaws, formulating patches, and deploying them on a network in real time. “We were trying to teach machines to hack,” Brumley explains in an interview.

“If you look at the industry, there’s a lot of static analysis tools out there,” Brumley says. “Static analysis dates back to the 1970s. It was in the first generation of application security tools. It doesn’t work like actual attackers. It doesn’t show you how to exploit a system. It just highlights a line of code that it finds suspicious.”