A useful article for approaches to testing, including advice like “Don’t fuzz production targets”. The question it raises to me is: do you have a testing program for the software you use?…:
[…] Here are the standard guidelines for fuzzing:
- Don’t fuzz production targets. Fuzzing can cause mild discomfort in targets, such as increased resource usage. It can also cause complete failure. You should not point your fuzzer at any target used by real people for real work.
- Put your fuzzer close to your target. Try to eliminate, or at least minimize, the number of systems through which fuzz test cases must pass in order to reach your target. An intermediate system might modify the test cases, drop them, or fail itself.
Our recommendation is to perform all fuzz testing in a controlled, isolated laboratory environment. Ideally, your fuzzer should be directly connected to the target, with no intervening systems—not even a switch.
The lab environment should be isolated from the rest of your network and the internet in case the tests are unexpectedly broadcast, amplified, or relayed.