The people I know that talk actively about fuzzing seem to mix two different views where fuzzing is used. The first view is the “Role” of the user, and the second is the “Phase” of the test in the software life-cycle (note: NOT _development_ life-cycle, but the entire life-cycle).
The role of the tester is sometimes divided between Quality Assurance (QA) and Vulnerability Assurance (VA), but maybe an another view would be to look at the role from the test purpose perspective. Three roles can be easily identified:
- “Dev-fuzzer” is testing something that he or his team has built.
- “Test-fuzzer” is testing something that someone else has built.
- “Admin-fuzzer” is testing something that he or his team is planning to use or buy.
The roles given above place some limitations on which tools or techniques are most useful to the person conducting the tests. A developer will have access to the source code, and can also easily instrument the code for better tests. A system administrator (or any enterprise security or QA specialist) on the other hand has almost zero visibility to the internals of the software.
Even simpler categorization is the binary view created by one major event in the software life-cycle: the release, or launch date of the software. Pre-release fuzzing aims at finding as many problems as possible in software before it is released. Post-release fuzzing on the other hand aims at finding (and often disclosing) vulnerabilities in software that is often already widely used.
Third categorization can be based on who actually is doing the tests, whether it is the software development organization (or vendor), a researcher (hacker) or the end-user organization (enterprise).
All these categories can be mixed. I.e. you can have an enterprise user fuzzing a beta-release of a software, at a test-lab environment such as interoperability lab for a financial organization. Or a hacker that also will take part in the development of an open source project to fix the findings in the code for a future release of the same software.
Nobody said it was a simple categorization, but understanding that everyone has a different view into fuzzing can help you understand the problematics that your collegue is explaining to you. And we are here to learn, aren’t we.