Sagar Sonwane

Josh Software Pvt. Ltd. India

Sagar is a Software Engineer @ Josh Software in India. He started his career as a backend developer building microservices in Go. He has prior experience with delivering talks, some at the organisational level and one at the Go Singapore meetup. He spends his spare time writing technical blogs about Go and contributing to open-source projects. He is a Golang enthusiast who is always keen on learning new things. When not coding or writing he can be found in the kitchen cooking or watching anime.

Uncovering Bugs With Fuzzing In Go

In the process of building software, we usually write test cases to determine if the different features within a system are working as expected. We write multiple test scenarios trying to cover most edge cases but might forget a few. To err is human, but this could lead to security vulnerabilities, a programmer’s nightmare.

Security vulnerabilities are one of the root causes of cyber-security threats.

To discover vulnerabilities in the system and fix them in advance, researchers have proposed several techniques among which fuzzing is the most widely used one. Fuzzing has become a mainstream practice in assessing and improving software security.

Fuzzing is a process of finding security vulnerabilities in the code by repeatedly injecting invalid, malformed and unexpected inputs into a system to reveal defects and vulnerabilities. Fuzzing can reach edge cases which humans often miss.

With the long-awaited 1.18 release, Go has finally added Fuzzing or fuzz testing as a part of its standard toolchain. Fuzzing is a part of the regular testing library since it is a kind of test only. And what is great about writing fuzz testing is that it need not be constrained to developers with security expertise.

There is great value to fuzz testing all programs, including those which may be less security-relevant but still work with arbitrary user inputs.