Weekly Security Roundup: Fuzzing Gaps and Entra ID Recovery
This week’s security updates include a research review on continuous fuzzing in open source and new features in Microsoft Entra ID for more resilient cloud identity management and user recovery.
Fuzzing and Vulnerability Discovery in Open Source Projects
GitHub Security Lab recently published findings on why some security bugs persist in open source projects even after extended fuzzing with OSS-Fuzz. Case studies point out that incomplete coverage—especially around encoding logic and external dependencies—lets vulnerabilities survive. Issues sometimes escape detection because fuzzers are not running long enough or do not generate large enough inputs. The article explains advanced options like AFL++ branch coverage, N-Gram, value-based fuzzing, and the addition of manual reviews or static analysis for better detection. It lays out five steps for closing test coverage gaps and suggests using Fuzzing 101, workflow reviews, and layered assurance. These recommendations add to last week’s supply chain security topics, arguing that effective security testing requires a mix of automation and human review. Open source maintainers are reminded that complex bugs sometimes need multiple validation steps to be found and fixed, reinforcing the ongoing emphasis on persistent, multifaceted vulnerability discovery.
Improvements to Account Recovery in Microsoft Entra ID
Microsoft Entra ID (formerly Azure Active Directory) now offers expanded options for user account recovery. In addition to password reset and SMS, blocked users can restore access by submitting a government ID for third-party verification (through services like AU10TIX). This approach is designed to resist phishing and credential theft, lessening social engineering risk and SIM swap attacks. Setup is done through a portal integration and Azure API configuration, giving IT administrators a way to enable or restrict the feature. Privacy, regulatory policies, and provider stability are addressed, and step-by-step instructions with demo videos are available for deployment. Improved account recovery helps reduce support tickets and lets users regain access without as much IT involvement—a boost for cloud identity stability. This update fits with previous work to raise the bar for identity security, following MFA, strong authentication, and trusted publishing as mentioned previously.