A review of Rackspace Security Engineering program and Syntribos API Security Test Automation

1. Syntribos – Security Test
Automation for APIs
Matthew Valdes

2. Background
• Matt Valdes – Security Developer
– Application Security Testing

3. Rackspace Security Engineering
• Security within Quality Engineering

4. Infrastructure Testing

5. Web App Testing

6. Code Security Review

7. API Testing

8. Security Test Automation

9. API Test Automation?

10. OpenStack
• Open source cloud platform
• Started in 2010 by NASA and Rackspace
• Today: > 2.5 million LoC + 1800 contributors
• ~77% Python

11. API Test Scope

12. JSON Body

13. JSON Body

14. Enter Syntribos
• THE DAIMONES KERAMIKOI were five malevolent
spirits which plagued the craftsman potter
– Syntribos (the Shatterer)
– Smaragos (the Smasher)
– Asbetos (Charrer)
– Sabaktes (Destroyer)
– Omodamos (Crudebake).

15. API Test Automation!
• Automatic fuzzer for HTTP requests
– Currently Based on FuzzDB Test Strings
• Fully customizable
• Open source!

16. Syntribos Framework
• OpenCafe
– Code: https://github.com/openstack/opencafe.git
– Docs: http://opencafe.readthedocs.org/en/latest/
– Automation Framework Engine
– Unittest Framework

17. Syntribos Architecture

18. Syntribos Configuration
[syntribos]
endpoint=https://cloud.api.example.com
[user]
username=user123
password=password123

19. Syntribos Request
POST /tokens HTTP/1.1
Accept: application/json
Content-type: application/json
{"auth":
{"passwordCredentials":
{"username": "USER_NAME",
"password":"PASSWORD"}
}
}

20. Syntribos Payload
• Data can be generated based on the test
• Data generation supports HTTP protocol
• Automated replacement
– URL Path
– URL Parameters
– HTTP Headers
– Body JSON, XML

21. Syntribos Validation
• Extensible per test scenario
• Default for fuzzing:
– Response Length Comparison
– HTTP Status Code

22. Syntribos Extensions
• Used to supply supplementary data
• Any data source can be referenced
• Can be stored external to Syntribos
• Returns a string or generator of strings

23. Syntribos Demo

24. Advantages
• Test validation
• Unlimited data sources
• Command-line driven
• Open source

25. Syntribos Future State
• More security tests
• Better reporting
– Output formatting
– Result aggregation
• unittest creation to reproduce failures

26. OpenStack Security Project
• Syntribos is an OpenStack Security Project
• Other OSSG Security Projects:
– Bandit (static code analysis)
– Anchor (ephemeral PKI)
– Security Guide (best practices)

27. Join Us
27
#openstack-security on Freenode
#openstack-meeting-alt @ 1700 UTC Thur
openstack-dev@lists.openstack.org
• Use [Security] tag

28. Q&A
28
https://github.com/openstack/syntribos
matthew.valdes@rackspace.com

29. Thanks
29