Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kontinuierliche Sicherheitstests für APIs mit ...

Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP #devSec23

Continuous Delivery ist allgegenwärtig. Wirklich? Viele Teams straucheln immer noch dabei, regelmäßig gut getestete und vor allem sichere Software auszuliefern. Immer mit der gleichen, guten alten Ausrede: die nicht-funktionalen Tests seien zu aufwändig und zu teuer umzusetzen. Doch genau das Gegenteil ist der Fall!

In diesem Vortrag gehen wir kurz auf die aktuellen Bedrohungen und die Bedeutung früher und regelmäßiger Sicherheitstests von APIs ein. Anschließend zeigen wir, wie einfach es ist, diese Tests kontinuierlich und asynchron mit OWASP ZAP und Testkube gegen REST- und GraphQL-APIs direkt auf einem Kubernetes-Cluster auszuführen; immer dann wenn sich das API und der Service ändern.

M.-Leander Reimer

September 13, 2023
Tweet

More Decks by M.-Leander Reimer

Other Decks in Programming

Transcript

  1. qaware.de Kontinuerliche Sicherheitstests für APIs mit Testkube und OWASP ZAP

    Mario-Leander Reimer [email protected] @LeanderReimer @heise_devSec #devSec23 @testkube_io
  2. Holistic security still seems to be an often neglected non-functional

    requirement in many software projects and agile teams.
  3. Security is one of several software product quality attributes. Which

    one is more important? QAware | 5 Software Product Quality (ISO 25010) • Modularity • Reusability • Analysability • Modifiability • Testability Maintainability • Confidentiality • Integrity • Non-repudiation • Authenticity • Accountability Security • Adaptability • Installability • Replaceability Portability • Co-existence • Interoperability Compatibility • Maturity • Availability • Fault Tolerance • Recoverability Reliability • Time Behaviour • Resource Utilization • Capacity Efficiency • Completeness • Correctness • Appropriateness Functional Suitability • Operability • Learnability • UI Aesthetics • Accessibility Usability Deployability Safety
  4. QAware | 6 Monolithic systems were relatively easy to test.

    ▪ No distribution, no IPC ▪ Homogene technology stack ▪ Low infrastructure complexity ▪ Managed infrastructure ▪ Long release and test cycles ▪ Developed by one team
  5. QAware | 7 Microservice-based systems are complex. Testing them is

    even more complex. ▪ High distribution with various communication channels and IPC formats ▪ Heterogeneous Technology Stacks ▪ High infrastructure complexity with many components ▪ New operating model with more responsibility for the developers ▪ Short release cycles. Many teams.
  6. All modern IPC protocols are susceptible to attacks from the

    OWASP API Security Top 10 QAware | 8 GraphQL gRPC REST
  7. All modern IPC protocols are susceptible to attacks from the

    OWASP API Security Top 10 QAware | 9 GraphQL gRPC REST API1:2023 Broken Object Level Authorization API2:2023 Broken Authentication API3:2023 Broken Object Property Level Authorization API4:2023 Unrestricted Resource Consumption API5:2023 Broken Function Level Authorization API6:2023 Unrestricted Access to Sensitive Business Flows API7:2023 Server Side Request Forgery API8:2023 Security Misconfiguration API9:2023 Improper Inventory Management API10:2023 Unsafe Consumption of APIs A01 Broken Access Control A02 Cryptographic Failures A03 Injection A04 Insecure Design A05 Security Misconfiguration A06 Vulnerable and Outdated Components A07 Identification and Authentication Failures A08 Software and Data Integrity Failures A09 Security Logging and Monitoring Failures A10 Server Side Request Forgery (SSRF)
  8. Mastering the tools, techniques and technologies required for Continuous Delivery

    is not easy! QAware | 10 Continuous Delivery Low Risk Releases Less Rework Fast Time to Market Better Products Lower Costs Happier Teams Happier Users Loosely Coupled Architectures Maintainable Code Empowered Teams Continuous Security from Day 1 Test Automation Continuous Integration GitOps Deployment Automation Monitoring and Alerting
  9. OWASP Zed Attack Proxy (ZAP) QAware | 11 ▪ Widespread

    and well-known open source web application vulnerability scanner ▪ Detailed documentation. International community. ▪ Several modes of operation: Intercepting Proxy, Active und Passive scanner, HTTP Spider, Brute Force Scanner, Port Scanner, OpenAPI v3, SOAP, GraphQL, Web Sockets ▪ ZAP provides a powerful API and tools for Security Scanning Automation ▪ The official ZAP Docker images provide an easy way to run ZAP, especially in CI/CD and container runtime environments such as Kubernetes – API Scan - a full scan of an API defined using OpenAPI / Swagger, or GraphQL – Baseline Scan - a time limited spider which reports issues found passively – Full Scan - a full spider, optional ajax scan and active scan which reports issues found – Webswing - run the ZAP Desktop UI in a browser ▪ GitHub Action available for easy integration into GH build pipelines ▪ https://www.zaproxy.org/docs/
  10. Monolithic, linear CI/CD pipelines are suboptimal and will result in

    delayed feedback and long release cycles. QAware | 12 Usually delayed until the end of sprint or the release. Which one first? Functionality vs. Performance vs. Security?
  11. A microservice architecture with many downstream dependencies is complex and

    really hard to test. QAware | 14 Cluster Microservice A Microservice B Microservice C External System X External System Y Team A Team C Team B Unknown
  12. Initial idea and conceptual architecture for continuous API security tests

    with ZAP on Kubernetes QAware | 16 default zap Security Unit Test Tester Microservice Deployment API Test ZAP API ZAP GUI REST CronJob HTML Pod Pod
  13. Improved Conceptual Architecture QAware | 17 Packages Package publish update

    Run deploy watch Deploy watch Dev GitOps Build push Checkout Build Test Quality Package Dev Test (E2E, NFA) trigger test Tests
  14. Hello Testkube. Your friendly cloud-native testing framework for Kubernetes QAware

    | 18 ▪ Testkube natively integrates test orchestration and execution into Kubernetes and your CI/CD or GitOps pipeline ▪ Avoids vendor lock-in for test orchestration and execution in CI/CD pipelines ▪ Makes it possible to decouple test execution from build processes; test engineers should be able to run specific tests whenever needed ▪ Makes it easy to run any kind of tests - functional, load/performance, security, compliance, etc. in your clusters, without having to wrap them in docker-images or providing network access ▪ Provides a modular architecture for adding new types of tests and executors ▪ https://github.com/kubeshop/testkube
  15. Demo Architecture and Testkube Concepts QAware | 19 default testkube

    Testkube Dashboard Webhook Receiver Testkube API Server CRDs CI/CD System Dev Executors Test Test Suite Microservice trigger flux-system run Mongo DB NATS Minio S3 CLI start store watch Test Trigger SUT Monitoring System Test Source
  16. qaware.de QAware GmbH Aschauer Straße 32 81549 München Tel. +49

    89 232315-0 [email protected] twitter.com/qaware linkedin.com/company/qaware-gmbh xing.com/companies/qawaregmbh slideshare.net/qaware github.com/qaware Contact details ...