Google debuts ClusterFuzzLite security tool for CI, CD workflows

Google has launched ClusterFuzzLite, a continuous fuzzing solution for improving software supply chain security. 

On Thursday, Google software engineers Jonathan Metzman and Oliver Chang, together with product lead for Google’s CI/CD products, Michael Winser, said in a blog post that the new tool can run “as part of CI/CD workflows to find vulnerabilities faster than ever before.”

Fuzzing is an automated testing technique for finding bugs and unexpected behavior by inputting invalid and random data into programs. This can flag up vulnerabilities or errors that may otherwise go unnoticed through manual analysis. 

The new tool, ClusterFuzzLite, is based on ClusterFuzz, an open source scalable fuzzing infrastructure previously released by Google and used as the fuzzing backbone for the OSS-Fuzz program. 

According to Google, ClusterFuzzLite can be integrated into existing workflows to fuzz pull requests, improving the chance of vulnerabilities to be found earlier in the development process and before changes are committed. 

While ClusterFuzz and ClusterFuzzLite contain some of the same features — including continuous fuzzing, coverage report creation, and sanitizer support — the team says that the main difference is ClusterFuzz is easy to set up with closed source projects, and so developers can make use of it to quickly

Read More: