qaware.de Kontinuerliche Sicherheitstests für APIs mit Testkube und OWASP ZAP Mario-Leander Reimer [email protected] @LeanderReimer @heise_devSec #devSec23 @testkube_io

2 Mario-Leander Reimer Managing Director | CTO @LeanderReimer #cloudnativenerd #qaware #gernperDude

"Software Is Eating the World." Marc Andreessen, 20th August 2011

Holistic security still seems to be an often neglected non-functional requirement in many software projects and agile teams.

Security is one of several software product quality attributes. Which one is more important? QAware | 5 Software Product Quality (ISO 25010) ● Modularity ● Reusability ● Analysability ● Modifiability ● Testability Maintainability ● Confidentiality ● Integrity ● Non-repudiation ● Authenticity ● Accountability Security ● Adaptability ● Installability ● Replaceability Portability ● Co-existence ● Interoperability Compatibility ● Maturity ● Availability ● Fault Tolerance ● Recoverability Reliability ● Time Behaviour ● Resource Utilization ● Capacity Efficiency ● Completeness ● Correctness ● Appropriateness Functional Suitability ● Operability ● Learnability ● UI Aesthetics ● Accessibility Usability Deployability Safety

QAware | 6 Monolithic systems were relatively easy to test. ■ No distribution, no IPC ■ Homogene technology stack ■ Low infrastructure complexity ■ Managed infrastructure ■ Long release and test cycles ■ Developed by one team

QAware | 7 Microservice-based systems are complex. Testing them is even more complex. ■ High distribution with various communication channels and IPC formats ■ Heterogeneous Technology Stacks ■ High infrastructure complexity with many components ■ New operating model with more responsibility for the developers ■ Short release cycles. Many teams.

All modern IPC protocols are susceptible to attacks from the OWASP API Security Top 10 QAware | 8 GraphQL gRPC REST

All modern IPC protocols are susceptible to attacks from the OWASP API Security Top 10 QAware | 9 GraphQL gRPC REST API1:2023 Broken Object Level Authorization API2:2023 Broken Authentication API3:2023 Broken Object Property Level Authorization API4:2023 Unrestricted Resource Consumption API5:2023 Broken Function Level Authorization API6:2023 Unrestricted Access to Sensitive Business Flows API7:2023 Server Side Request Forgery API8:2023 Security Misconfiguration API9:2023 Improper Inventory Management API10:2023 Unsafe Consumption of APIs A01 Broken Access Control A02 Cryptographic Failures A03 Injection A04 Insecure Design A05 Security Misconfiguration A06 Vulnerable and Outdated Components A07 Identification and Authentication Failures A08 Software and Data Integrity Failures A09 Security Logging and Monitoring Failures A10 Server Side Request Forgery (SSRF)

Mastering the tools, techniques and technologies required for Continuous Delivery is not easy! QAware | 10 Continuous Delivery Low Risk Releases Less Rework Fast Time to Market Better Products Lower Costs Happier Teams Happier Users Loosely Coupled Architectures Maintainable Code Empowered Teams Continuous Security from Day 1 Test Automation Continuous Integration GitOps Deployment Automation Monitoring and Alerting

OWASP Zed Attack Proxy (ZAP) QAware | 11 ■ Widespread and well-known open source web application vulnerability scanner ■ Detailed documentation. International community. ■ Several modes of operation: Intercepting Proxy, Active und Passive scanner, HTTP Spider, Brute Force Scanner, Port Scanner, OpenAPI v3, SOAP, GraphQL, Web Sockets ■ ZAP provides a powerful API and tools for Security Scanning Automation ■ The official ZAP Docker images provide an easy way to run ZAP, especially in CI/CD and container runtime environments such as Kubernetes – API Scan - a full scan of an API defined using OpenAPI / Swagger, or GraphQL – Baseline Scan - a time limited spider which reports issues found passively – Full Scan - a full spider, optional ajax scan and active scan which reports issues found – Webswing - run the ZAP Desktop UI in a browser ■ GitHub Action available for easy integration into GH build pipelines ■ https://www.zaproxy.org/docs/

Monolithic, linear CI/CD pipelines are suboptimal and will result in delayed feedback and long release cycles. QAware | 12 Usually delayed until the end of sprint or the release. Which one first? Functionality vs. Performance vs. Security?

No content

A microservice architecture with many downstream dependencies is complex and really hard to test. QAware | 14 Cluster Microservice A Microservice B Microservice C External System X External System Y Team A Team C Team B Unknown

Why not run (non)-functional tests against a cloud-native microservice architecture continuously, or triggered on the cluster itself?

Initial idea and conceptual architecture for continuous API security tests with ZAP on Kubernetes QAware | 16 default zap Security Unit Test Tester Microservice Deployment API Test ZAP API ZAP GUI REST CronJob HTML Pod Pod

Improved Conceptual Architecture QAware | 17 Packages Package publish update Run deploy watch Deploy watch Dev GitOps Build push Checkout Build Test Quality Package Dev Test (E2E, NFA) trigger test Tests

Hello Testkube. Your friendly cloud-native testing framework for Kubernetes QAware | 18 ■ Testkube natively integrates test orchestration and execution into Kubernetes and your CI/CD or GitOps pipeline ■ Avoids vendor lock-in for test orchestration and execution in CI/CD pipelines ■ Makes it possible to decouple test execution from build processes; test engineers should be able to run specific tests whenever needed ■ Makes it easy to run any kind of tests - functional, load/performance, security, compliance, etc. in your clusters, without having to wrap them in docker-images or providing network access ■ Provides a modular architecture for adding new types of tests and executors ■ https://github.com/kubeshop/testkube

Demo Architecture and Testkube Concepts QAware | 19 default testkube Testkube Dashboard Webhook Receiver Testkube API Server CRDs CI/CD System Dev Executors Test Test Suite Microservice trigger flux-system run Mongo DB NATS Minio S3 CLI start store watch Test Trigger SUT Monitoring System Test Source

lreimer/testkube-zap-demo lreimer/hands-on-testkube

qaware.de QAware GmbH Aschauer Straße 32 81549 München Tel. +49 89 232315-0 [email protected] twitter.com/qaware linkedin.com/company/qaware-gmbh xing.com/companies/qawaregmbh slideshare.net/qaware github.com/qaware Contact details ...