Upload
matthew-valdes
View
367
Download
27
Embed Size (px)
Citation preview
Syntribos – Security Test Automation for APIs
Matthew Valdes
Background
• Matt Valdes – Security Developer– Application Security Testing
Rackspace Security Engineering
• Security within Quality Engineering
Infrastructure Testing
Web App Testing
Code Security Review
API Testing
Security Test Automation
API Test Automation?
OpenStack
• Open source cloud platform• Started in 2010 by NASA and Rackspace• Today: > 2.5 million LoC + 1800 contributors• ~77% Python
API Test Scope
JSON Body
JSON Body
Enter Syntribos
• THE DAIMONES KERAMIKOI were five malevolent spirits which plagued the craftsman potter– Syntribos (the Shatterer)– Smaragos (the Smasher)– Asbetos (Charrer)– Sabaktes (Destroyer) – Omodamos (Crudebake).
API Test Automation!
• Automatic fuzzer for HTTP requests– Currently Based on FuzzDB Test Strings
• Fully customizable• Open source!
Syntribos Framework
• OpenCafe– Code: https://github.com/openstack/opencafe.git– Docs: http://opencafe.readthedocs.org/en/latest/– Automation Framework Engine– Unittest Framework
Syntribos Architecture
Syntribos Configuration
[syntribos]endpoint=https://cloud.api.example.com
[user]username=user123password=password123
Syntribos RequestPOST /tokens HTTP/1.1Accept: application/jsonContent-type: application/json
{"auth": {"passwordCredentials": {"username": "USER_NAME", "password":"PASSWORD"} }}
Syntribos Payload
• Data can be generated based on the test• Data generation supports HTTP protocol• Automated replacement– URL Path– URL Parameters– HTTP Headers– Body JSON, XML
Syntribos Validation
• Extensible per test scenario• Default for fuzzing:– Response Length Comparison – HTTP Status Code
Syntribos Extensions
• Used to supply supplementary data• Any data source can be referenced• Can be stored external to Syntribos• Returns a string or generator of strings
Syntribos Demo
Advantages
• Test validation• Unlimited data sources• Command-line driven• Open source
Syntribos Future State
• More security tests• Better reporting– Output formatting– Result aggregation
• unittest creation to reproduce failures
OpenStack Security Project
• Syntribos is an OpenStack Security Project• Other OSSG Security Projects:– Bandit (static code analysis)– Anchor (ephemeral PKI)– Security Guide (best practices)
27
Join Us
#openstack-security on Freenode#openstack-meeting-alt @ 1700 UTC Thur
[email protected]• Use [Security] tag
29
Thanks