The amount of systems and applications data center security managers have to keep attackers out of nowadays is staggering. One way to make sure all the safeguards are working, and all potential attack vectors are closed off is penetration testing.
Traditionally, this has meant “white hat” hackers sitting around trying to get in or running automated scripts to launch a variety of attacks. But neither people nor scripts can try everything that’s possible.
Imagine, for example, that an application crashes after a user types more than 1,000 characters into a text field, ending with a particular set of characters. That’s more potential combinations than atoms in the known universe.
“If our average input is 10 bytes long, then you’d have to try 25610, which is an enormously large number,” said Daniel Crowley, IBM’s Security X-Force Red research director. “If each attempt takes half a second, it takes months or years just to fuzz a ten-character string.”