Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Obfuscation tools and application security

Obfuscator tools are quite different from other application security tools. Expert Brad Arkin lays out the basics of code obfuscation.

I read your advice about fuzzing. What makes it different from obfuscators and other tools? Are obfuscators more effective than scanners?

A fuzzing tool or fuzzer is a software test tool used to probe for security vulnerabilities. An obfuscation tool is used to make source code more difficult to understand or complied binary code more difficult to decompile. Fuzzers and code obfuscators address very different elements of security and one tool should not be used in place of the other.

Code obfuscation can be helpful in situations where an application is likely to be reverse engineered. For example, attackers frequently use obfuscation techniques to make computer viruses and backdoor Trojan programs more difficult for security companies to understand and build defenses against. Obfuscation is also used to make Java applets and other applications that are downloaded to a potentially untrustworthy client more difficult to manipulate.

A fun example of manually obfuscated code is the International Obfuscated C Code Contest. (See www.ioccc.org for more.)

More information:
  • PreEmptive package helps make obfuscation part of SDLC
  • Learning Guide: Application security testing techniques
  • OWASP Guide to Building Secure Web Applications and Web Services: Configuration

Dig Deeper on Topics Archive