![Syntribos Configuration
[syntribos]
endpoint=https://cloud.api.example.com
[user]
username=user123
password=password123](https://image.slidesharecdn.com/owaspmeetup201602-160226225202/85/Syntribos-API-Security-Test-Automation-18-320.jpg)
![Join Us
27
#openstack-security on Freenode
#openstack-meeting-alt @ 1700 UTC Thur
openstack-dev@lists.openstack.org
• Use [Security] tag](https://image.slidesharecdn.com/owaspmeetup201602-160226225202/85/Syntribos-API-Security-Test-Automation-27-320.jpg)
Syntribos API Security Test Automation
- 1. Syntribos – Security Test Automation for APIs Matthew Valdes
- 2. Background • Matt Valdes – Security Developer – Application Security Testing
- 3. Rackspace Security Engineering • Security within Quality Engineering
- 7. API Testing
- 10. OpenStack • Open source cloud platform • Started in 2010 by NASA and Rackspace • Today: > 2.5 million LoC + 1800 contributors • ~77% Python
- 11. API Test Scope
- 12. JSON Body
- 13. JSON Body
- 14. Enter Syntribos • THE DAIMONES KERAMIKOI were five malevolent spirits which plagued the craftsman potter – Syntribos (the Shatterer) – Smaragos (the Smasher) – Asbetos (Charrer) – Sabaktes (Destroyer) – Omodamos (Crudebake).
- 15. API Test Automation! • Automatic fuzzer for HTTP requests – Currently Based on FuzzDB Test Strings • Fully customizable • Open source!
- 16. Syntribos Framework • OpenCafe – Code: https://github.com/openstack/opencafe.git – Docs: http://opencafe.readthedocs.org/en/latest/ – Automation Framework Engine – Unittest Framework
- 19. Syntribos Request POST /tokens HTTP/1.1 Accept: application/json Content-type: application/json {"auth": {"passwordCredentials": {"username": "USER_NAME", "password":"PASSWORD"} } }
- 20. Syntribos Payload • Data can be generated based on the test • Data generation supports HTTP protocol • Automated replacement – URL Path – URL Parameters – HTTP Headers – Body JSON, XML
- 21. Syntribos Validation • Extensible per test scenario • Default for fuzzing: – Response Length Comparison – HTTP Status Code
- 22. Syntribos Extensions • Used to supply supplementary data • Any data source can be referenced • Can be stored external to Syntribos • Returns a string or generator of strings
- 23. Syntribos Demo
- 24. Advantages • Test validation • Unlimited data sources • Command-line driven • Open source
- 25. Syntribos Future State • More security tests • Better reporting – Output formatting – Result aggregation • unittest creation to reproduce failures
- 26. OpenStack Security Project • Syntribos is an OpenStack Security Project • Other OSSG Security Projects: – Bandit (static code analysis) – Anchor (ephemeral PKI) – Security Guide (best practices)
- 27. Join Us 27 #openstack-security on Freenode #openstack-meeting-alt @ 1700 UTC Thur openstack-dev@lists.openstack.org • Use [Security] tag
- 29. Thanks 29
Editor's Notes
- #9: Automation tools exist for infrastructure/network (Nessus, Nexpose, Metasploit, Nikto), WebApp/UI (AppScan, Veracode, Zap dynamic scan), Code (Veracode, Bandit). Not fire and forget, but can help find low hanging fruit and points of interest. But what about API testing?
- #10: 3rd Party Vendors, Manual Testing – curl, custom code Tedious; repeatable but not scalable or transferrable, Hard to audit Partial Automation - Zap, Burp No standard format or contract definition No schema (SOAP, etc.) Authentication methods vary widely
- #12: Why does API automation matter?
- #24: …
- #26: Michael …
- #28: (Steve)
- #30: (Steve)