Deploying flawed software is expensive, and as more formerly internally facing applications gain shiny new Web front ends, the need for secure coding is increasing. So how can IT safely poke and prod apps to see if they'll break, or worse, open doors for attackers?

	We put the Mu-4000 Security Analyzer to work, fuzzing a network-attached storage system

The most extensive--and expensive--computational attack tool: the mind of a human penetration tester or application security guru. On the development side, source-code analysis tools provide value. But if you have access to the app only after it's deployed or compiled, black-box testers such as static vulnerability scanning tools and fuzzers are your best bet.

Fuzzers attempt to explore the boundaries of file formats, protocols, and interfaces. With dual uses in quality assurance and security, fuzzers can make applications more robust. By combining intelligent templates of what protocols look like and modifying all mutable fields--and sometimes supposedly immutable ones--fuzzers are especially good at crashing applications and devices, and they sometimes find exploitable conditions. For more on fuzzing, see a primer at "Requirements for Effective Fuzzing".

We brought one fuzzing appliance, Mu Security's Mu-4000 Security Analyzer, into our University of Florida Real-World Labs. This baby isn't cheap, starting at $40,000 and ranging up to $300,000 if you want the full set of protocols. The 55 protocols offered at press time range from ARP to L2TP to VRRP. The Mu-4000 competes with open source and commercial software fuzzers, most with significantly fewer digits in their price tags. The Mu-4000 will be most useful for large embedded-device vendors that want to have multiple fuzzers banging away at their products. Among software vendors, it's best suited to those doing lots of protocol parsing.

Many software vendors serious about security build their own in-house fuzzers. This is especially true in shops that have developed custom protocols. While the Mu-4000 can be integrated into such an environment using an external attack generator, any organization sophisticated enough to develop its own protocol fuzzer is probably comfortable using one of the free open source fuzzing frameworks to handle management and automation.

The value the Mu-4000 brings to the table includes its ability to manage automated testing, reboot devices, and log performance responses, but it would be hard to justify the cost with these alone. The primary draw for most would be its extensive protocol suites that allow the device to be up and running within minutes, throwing packets of every sort at apps to see how they handle them. The Mu's cost varies based on included protocols, so whether the product can pull its weight for the price is heavily dependent on environment.