Continuous OpenAPI Security Tests on K8s with Testkube and ZAP
0 likes37 views
The document discusses the importance of continuous security testing in software development, particularly through the use of Testkube and ZAP within Kubernetes environments. It emphasizes the need for integrating security measures from the beginning of the development process to enhance software quality across various attributes like performance, security, and usability. Additionally, it highlights the significance of modular architectures and automated testing frameworks to improve development efficiency and reduce vendor lock-in.
Continuous OpenAPI Security Tests on K8s with Testkube and ZAP
- 1. qaware.de Continuous OpenAPI Security Tests on K8s with Testkube and ZAP Mario-Leander Reimer [email protected] @LeanderReimer @DevSecCon #Testkube
- 2. 2 Mario-Leander Reimer Principal Software Architect @LeanderReimer #cloudnativenerd #qaware #gernperDude
- 3. Holistic security still seems to be a neglected non-functional requirement in many software projects and agile teams.
- 4. Security is one of several software product quality attributes. Which one is more important? QAware | 4 Software Product Quality (ISO 25010) ● Modularity ● Reusability ● Analysability ● Modifiability ● Testability Maintainability ● Confidentiality ● Integrity ● Non-repudiation ● Authenticity ● Accountability Security ● Adaptability ● Installability ● Replaceability Portability ● Co-existence ● Interoperability Compatibility ● Maturity ● Availability ● Fault Tolerance ● Recoverability Reliability ● Time Behaviour ● Resource Utilization ● Capacity Efficiency ● Completeness ● Correctness ● Appropriateness Functional Suitability ● Operability ● Learnability ● UI Aesthetics ● Accessibility Usability
- 5. Mastering the tools, techniques and technologies required for Continuous Delivery is not easy! QAware | 5 Continuous Delivery Low Risk Releases Less Rework Fast Time to Market Better Products Lower Costs Happier Teams Happier Users Loosely Coupled Architectures Maintainable Code Empowered Teams Continuous Security from Day 1 Test Automation Continuous Integration GitOps Deployment Automation Monitoring and Alerting
- 6. Monolithic, linear CI/CD pipelines are suboptimal and will result in delayed feedback and long release cycles. QAware | 6 Usually delayed until the end of sprint or the release. Which one first? Functionality vs. Performance vs. Security?
- 7. Why not run (non)-functional tests against a cloud-native microservice architecture continuously, or triggered on the cluster itself?
- 9. Conceptual PAL Architecture QAware | 9 Packages Package publish update Run deploy watch Deploy watch Dev GitOps Build push Checkout Build Test Quality Package Dev Test (E2E, NFA) trigger test Tests
- 11. OWASP Zed Attack Proxy (ZAP) QAware | 11 ■ Widespread and well-known open source web application vulnerability scanner ■ Detailed documentation. International community. ■ Several modes of operation: Intercepting Proxy, Active und Passive scanner, HTTP Spider, Brute Force Scanner, Port Scanner, OpenAPI v3, SOAP, GraphQL, Web Sockets ■ ZAP provides a powerful API and tools for Security Scanning Automation ■ The official ZAP Docker images provide an easy way to run ZAP, especially in CI/CD and container runtime environments such as Kubernetes – API Scan - a full scan of an API defined using OpenAPI / Swagger, or GraphQL – Baseline Scan - a time limited spider which reports issues found passively – Full Scan - a full spider, optional ajax scan and active scan which reports issues found – Webswing - run the ZAP Desktop UI in a browser ■ https://www.zaproxy.org/docs/
- 12. Hello Testkube. Your friendly cloud-native testing framework for Kubernetes QAware | 12 ■ Testkube natively integrates test orchestration and execution into Kubernetes and your CI/CD or GitOps pipeline ■ Avoids vendor lock-in for test orchestration and execution in CI/CD pipelines ■ Makes it possible to decouple test execution from build processes; test engineers should be able to run specific tests whenever needed ■ Makes it easy to run any kind of tests - functional, load/performance, security, compliance, etc. in your clusters, without having to wrap them in docker-images or providing network access ■ Provides a modular architecture for adding new types of tests and executors ■ https://github.com/kubeshop/testkube
- 13. Demo Architecture and Testkube Concepts QAware | 13 default testkube Testkube Dashboard Webhook Receiver Testkube API Server CRDs CI/CD System Dev Executors Test Test Suite Microservice trigger flux-system run Mongo DB NATS Minio S3 CLI start store watch Test Trigger SUT Monitoring System Test Source
- 14. qaware.de QAware GmbH Aschauer Straße 32 81549 München Tel. +49 89 232315-0 [email protected] twitter.com/qaware linkedin.com/company/qaware-gmbh xing.com/companies/qawaregmbh slideshare.net/qaware github.com/qaware Contact details ...