×
Community Blog Test the system security as you Test as Code the application security

Test the system security as you Test as Code the application security

In this article, I show how you can use the "X as Code" approach to test the system security as you do it to test the application security.

Once you follow the Security-as-Code concept, you can also apply the Test Pyramid (Mike Cohn, 2005) to security testing. In this document, you will have a quick introduction to a security tool of each level of the pyramid:

  • OWASP ZAP,
  • Gauntlt,
  • ServerSpec.

The Test Pyramid

The Test Pyramid (Mike Cohn, 2005) can help to organize and structure security testing.

Test pyramid

It has 3 levels of tests. The main principle is to prefer the layer layers, faster and cheaper.

So when a Service or an Acceptance Test fails, create an Unit Test and so on.

  • Many Unit Tests,
  • A little less Service Tests,
  • Even fewer Acceptance Tests.

The correction of defects will be earlier and less costly.

In this presentation, focus on:

  • OWASP ZAP,
  • gauntlt,
  • serverspec.

OWASP ZAP

OWASP ZAP (Open Web Application Security Project ZAP) is an open source tool provided by OWASP for penetration tests of a web application in order to find vulnerabilities. It does a passive scan.

It can:

  • run ZAP spider (for one minute): zap-baseline.py,
  • run a full scan (longer): zap-full-scan.py,
  • test APIs: zap-api-scan.py.

The ZAP Baseline is ideal for CI/CD pipelines. With Docker, it's very easy to integrate it in a pipeline:

docker run --rm \
  --it \
  --name owasp-zap-scan-dvws \
  --network host \
  -v $PWD/data:/zap/wrk:rw \
  owasp/zap2docker-weekly \
  sh -c "zap-baseline.py -t http://0.0.0.0:80 -r zap-baseline-scan-report.html"

For more information: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan

Gauntlt

Gauntlt ("Be Mean to Your Code") is based on the Cucumber BDD (Behavior-Driven Development) testing framework. It includes several attack tools:

  • sslyze: verifies the SSL configuration,
  • nmap: verifies the network configuration,
  • sqlmap: tests SQL injection vulnerabilities,
  • curl: performs simple web application attacks,
  • arachni, dirb, and garmr: searches common vulnerabilities,
  • hartbleed: checks specific vulnerabilities.

Source: http://gauntlt.org

Example (nmap.attack file):

Feature: nmap attacks for scanme.nmap.org and to use this for your tests, change the value in the profile
  Background:
    Given "nmap" is installed
    And the following profile:
      | name | value |
      | hostname | scanme.nmap.org |
      | host | scanme.nmap.org |
      | tcp_ping_ports | 22,25,80,443 |
  Scenario: Verify server is open on expected set of ports using the nmap-fast attack step
    When I launch a "nmap-fast" attack
    Then the output should match /80.tcp\s+open/

Run (via a Docker image):

docker run -t - rm=true -v $PWD:/working -w /working gauntlt nmap.attack

Gauntlt can be integrated in CI/CD pipelines:

  • tests tagged with @slow are executed in the CD pipeline,
  • the other are executed in the CI pipeline.

For more information: http://gauntlt.org/

ServerSpec

ServerSpec allows you to check that the servers are correctly configured using an SSH connection (resources, port, packages, HTTP status code, ...) or locally.

ServerSpec run tests on specifications you create. For example, to verify that a Docker image is present and that the port 80 is listening:

  • run a web site on port 80,
docker run -d \
  - name nginx \
  -p 80:80 \
  devopstestlab/nginx-helloworld
  • create server1_spec.rb specifications,
require 'spec_helper'
describe docker_image('devopstestlab/nginx-helloworld') do
  it { should exist }
end
describe port(80) do
  it { should be_listening }
end
  • test the specifications.
docker run --rm \
  --network host \
  -v $PWD:/serverspec \
  devopstestlab/serverspec \
  rake spec

By Bruno Delb

0 0 0
Share on

Bruno Delb

5 posts | 1 followers

You may also like

Comments

Bruno Delb

5 posts | 1 followers

Related Products