Google has had good success with its beta program, which automatically searches for flaws in open source software.
Naked Security reports:
Is “fuzzing” software to find security vulnerabilities using huge robot clusters an idea whose time has come?
The latest numbers to emerge from Google’s OSS-Fuzz, a beta launched last December to automatically search for flaws in open source software, look encouraging.
The system found 264 potential security vulnerabilities in 47 open-source projects assessed by it, including 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, eight in SQLite 3, 10 in GnuTLS, 25 in PCRE2, nine in gRPC, and seven in Wireshark.
The list sounds dull but worthy until you realise that the FreeType2 library alone sits unobtrusively on around a billion devices, including Android, Apple’s iOS and macOS, and Sony’s PlayStation. Finding vulnerabilities in something that common is surely good news.