Syntribos – Security Test Automation for APIs

Matthew Valdes

Background

• Matt Valdes – Security Developer– Application Security Testing

Rackspace Security Engineering

• Security within Quality Engineering

Infrastructure Testing

Web App Testing

Code Security Review

API Testing

Security Test Automation

API Test Automation?

OpenStack

• Open source cloud platform• Started in 2010 by NASA and Rackspace• Today: > 2.5 million LoC + 1800 contributors• ~77% Python

API Test Scope

JSON Body

JSON Body

Enter Syntribos

• THE DAIMONES KERAMIKOI were five malevolent spirits which plagued the craftsman potter– Syntribos (the Shatterer)– Smaragos (the Smasher)– Asbetos (Charrer)– Sabaktes (Destroyer) – Omodamos (Crudebake).

API Test Automation!

• Automatic fuzzer for HTTP requests– Currently Based on FuzzDB Test Strings

• Fully customizable• Open source!

Syntribos Framework

• OpenCafe– Code: https://github.com/openstack/opencafe.git– Docs: http://opencafe.readthedocs.org/en/latest/– Automation Framework Engine– Unittest Framework

Syntribos Architecture

Syntribos Configuration

[syntribos]endpoint=https://cloud.api.example.com

[user]username=user123password=password123

Syntribos RequestPOST /tokens HTTP/1.1Accept: application/jsonContent-type: application/json

{"auth": {"passwordCredentials": {"username": "USER_NAME", "password":"PASSWORD"} }}

Syntribos Payload

• Data can be generated based on the test• Data generation supports HTTP protocol• Automated replacement– URL Path– URL Parameters– HTTP Headers– Body JSON, XML

Syntribos Validation

• Extensible per test scenario• Default for fuzzing:– Response Length Comparison – HTTP Status Code

Syntribos Extensions

• Used to supply supplementary data• Any data source can be referenced• Can be stored external to Syntribos• Returns a string or generator of strings

Syntribos Demo

Advantages

• Test validation• Unlimited data sources• Command-line driven• Open source

Syntribos Future State

• More security tests• Better reporting– Output formatting– Result aggregation

• unittest creation to reproduce failures

OpenStack Security Project

• Syntribos is an OpenStack Security Project• Other OSSG Security Projects:– Bandit (static code analysis)– Anchor (ephemeral PKI)– Security Guide (best practices)

27

Join Us

#openstack-security on Freenode#openstack-meeting-alt @ 1700 UTC Thur

openstack-dev@lists.openstack.org• Use [Security] tag

28

Q&A

https://github.com/openstack/syntribos

matthew.valdes@rackspace.com

29

Thanks