|Products||Fuzz (Robustness) Testing Tools, Software Composition Analysis, Situation Awareness Tools|
|Services||Security testing services|
Number of employees
|Type||Computer security, Fuzzing, Robustness testing, Network Analysis|
Codenomicon Oy was a private company founded in late 2001 that developed fuzz testing and cyber supply chain management tools for network equipment manufacturers, service providers, government/defence and enterprise customers.
Codenomicon's flagship product was Codenomicon Defensics, a fuzz testing platform for locating unknown vulnerabilities in any type of software. Over 270 Defensics test suites were available for fuzzing specific network protocols and file formats.
Codenomicon Defensics test suites used primarily generational fuzzing, a technique in which the test suite fully understands the protocol or file format being tested. For fuzzing network protocols or file formats for which no test suite exists, Codenomicon also offered template fuzz test suites for IP network protocols and file formats.
Codenomicon AppCheck was a static binary scanner for executable files and firmware images. Using proprietary technology, it performed a software composition analysis (SCA) on supplied firmware or application, and identified vulnerable third-party code that was used to build the binary.
Codenomicon AbuseSA was a threat intelligence aggregator that monitored indicators of compromise from various sources, and produces highly accurate and actionable events and reports. It ingested well known feeds such as ShadowServer, abuse.ch, Zone-H, Malc0de, and more. Codenomicon AbuseSA included visualizations of the live data streams, which gave security personnel the opportunity to analyze and examine abuse events in real time.
Codenomicon's founders had been researching and developing fuzzing tools since 1996. The first ideas for the engine were based on ideas the founders had while working at OUSPG, where systematic fuzzing was first used to break ASCII/MIME contents in email clients and web services. Later, the same technique was applied to ASN.1 structures in such protocols as SNMP, LDAP and X.509.
Codenomicon was founded in 2001. It's DEFENSICS product line grew to cover over 250 industry-standard network protocols and file formats, including wireless interfaces such as Bluetooth and IEEE 802.11 Wi-Fi. After Codenomicon was founded, The research side span out into PROTOS Genome project.
In 2015 Codenomicon was acquired by Synopsys Inc.
Codenomicon was also known for having T-shirts that say "GO HACK YOURSELF", which they usually had at their booth during security conferences. This came from the goal of Codenomicon to enable testers and system administrators to find their own zero-day vulnerabilities, instead of depending on external security consultants, and special hacker skills.
Robustness testing is a model based fuzzing technique and overall black box testing, an extension of syntax testing, that systematically will explore the input space defined by various communication interfaces or data formats, and will generate intelligent test cases that find crash-level flaws and other failures in software. The technique was first described in a University of Oulu white paper on robustness testing published in 2000, by Kaksonen et al., and Licentiate Thesis by Kaksonen, published in 2001. Methodology described in this publication formed an early foundation of fuzz testing engine used by Codenomicon Defensics. Fault injection and specification mutations were other names they used for the same approach.
- "Synopsys Completes Acquisition of Software Security Company Codenomicon". synopsys.com. 2015-06-29. Retrieved 2015-08-24.
- Mime bugs in Netscape.
- "The buzz on the bug – How does the e-mail security bug affect Solaris users? By Stephanie Steenbergen, SunWorld staff". Sunsite.uakom.sk. 1998-08-01. Retrieved 2011-11-03.
- "CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several Implementations of the Lightweight Directory Access Protocol (LDAP)". Cert.org. Retrieved 2011-11-03.
- "Edmund Whelan. SNMP and Potential ASN.1 Vulnerabilities. December 2002. SANS Institute InfoSec Reading Room.". Retrieved 2011-11-03.
- "Viide J., Helin A., Laakso M., Pietikäinen P., Seppänen M., Halunen K., Puuperä R., Röning J. "Experiences with Model Inference Assisted Fuzzing". In proceedings of the 2nd USENIX Workshop on Offensive Technologies (WOOT '08). San Jose, CA. July 28, 2008". Ee.oulu.fi. Retrieved 2011-11-03.
- "LWN Security". Lwn.net. Retrieved 2011-11-03.
- "Kaksonen R., Laakso M., Takanen A. Vulnerability Analysis of Software through Syntax Testing. White paper. OUSPG 2001". Ee.oulu.fi. Retrieved 2011-11-03.
- "Kaksonen, Rauli. A Functional Method for Assessing Protocol Implementation Security (Licentiate thesis). Published in 2001 by Technical Research Centre of Finland, VTT Publications 447. 128 p. + app. 15 p. ISBN 951-38-5873-1 (soft back ed.) ISBN 951-38-5874-X (on-line ed.)." (PDF). Retrieved 2011-11-03.
- "Kaksonen R., Laakso M., Takanen A.. "Software Security Assessment through Specification Mutations and Fault Injection". In Proceedings of Communications and Multimedia Security Issues of the New Century / IFIP TC6/TC11 Fifth Joint Working Conference on Communications and Multimedia Security (CMS'01) May 21-22, 2001, Darmstadt, Germany; edited by Ralf Steinmetz, Jana Dittmann, Martin Steinebach. ISBN 0-7923-7365-0". Ee.oulu.fi. Retrieved 2011-11-03.
- AlwaysOn as an 100 Top Private Company Award Winner
- eSecurity DEFEND THEN DEPLOY.
- Codenomicon Introduces DEFENSICS for WLAN
- Codenomicon Offers Preemptive Security and Quality Testing
- CODENOMICON DEFENDS AGAINST NETWORK DATA STORAGE THREATS
- Jolt Productivity Award 2008
- Dr. Dobbs interview with Ari Takanen: Fuzzing, Model-based Testing, and Security http://www.drdobbs.com/security/207000941
- Dr. Dobbs article on Automated Penetration Testing Toolkit Released (based on Codenomcion press release) http://www.drdobbs.com/security/224600546
- CERT-FI Advisory on XML libraries
- CERT-FI Vulnerability Advisory on GnuTLS
- CVE-2004-0786 DoS, IPv6 URI parsing
- CVE-2004-0081 DoS, OpenSSL 0.9.6 before 0.9.6d
- CVE-2014-0160 Buffer overreach, OpenSSl 1.0.1 before 1.0.1g (Heartbleed)