The release of Project OneFuzz delivers on promises made earlier this year to transition away from the Microsoft Security Risk Detection (MSRD) service and towards an automated, open-source equivalent.
In a blog post, the Redmond giant confirmed the tool is available immediately, for any development team that might want to use it.
Windows 10 bug hunt
According to Microsoft, advancements in the world of compilers has made fuzz testing code for vulnerabilities far cheaper and more accessible than ever before.
The company credits Google’s pioneering work in the space, which has served to streamline engineering tasks such as crash detection, coverage tracking and input harnessing.
“Fuzz testing is a highly effective method for increasing the security and reliability of native code – it is the gold standard for finding and removing costly, exploitable security flaws,” explained Justin Campbell and Mike Walker of Microsoft Security.
“Traditionally, fuzz testing has been a double-edged sword for developers: mandated by the software development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute and extract information from.”
According to the pair, making the Project OneFuzz framework widely available will mean bugs are discovered earlier in the development process and allow security staff to actively hunt down vulnerabilities.
The tool can reportedly be used to launch fuzz tasks, “ranging in size from a few virtual machines to thousands of cores”, with just a single line of code.
Project OneFuzz is available to download immediately via GitHub, published under the highly permissive MIT license, and will continue to receive regular updates from Microsoft.