LASCON 2014 has ended
Thursday, October 23 • 3:00pm - 3:45pm
OpenStack API Security Testing Automation in Action

Sign up or log in to save this to your schedule and see who's attending!

Traditional API security testing is a manual process by security engineers using various tools such as Burp Suite, Zap Proxy, SQLMap, etc. The testing process is challenging, time-consuming, inconsistent and difficult to duplicate or audit. It is difficult to integrate the security testing with Agile development or Continuous Integration / Continuous Delivery (CI/CD). Lack of security resources makes the matter worse. In this talk, we will show how Rackspace tackles this problem. 

In this talk, we will show the open source testing framework created by Rackspace, the security plugin, and the progress of creating security testing cases for all OpenStack API. We will discuss about the challenges and lessons that we have learn thus far. Some bad practices or security defects that we identified will be discussed. In the end, we will demonstrate how to leverage our process and framework to improve OpenStack API security testing. 

In Rackspace, security engineers have been working with quality engineers to build an automation process for security testing of OpenStack API. Based on the open source testing framework created by the Rackspace quality engineering team, the teams created a security testing plugin which can automatically detect common security vulnerabilities; such as SQL injection, command injection, improper authentication/authorization, inadequate user input validation, transport security, etc. The security testing plugin has been built to meet the needs of the security and quality engineers. Security engineers can use “fuzzing” and “data generator” features to identify any potential security defects and create test cases for new security defects. Quality engineers can also create security test cases and integrate security testing with functional testing. By integrating security testing into our SDLC, it is possible to detect security defects and fix them earlier in the development process. The engineering teams have been working on building security test cases for all OpenStack projects. Once the code is finished and ready, we will make both the security plug-in and all tests cases open source and share with the community. 


Nathan Buckner

Software Developer in Test III, Rackspace
Nathan Buckner is Currently a Senior Software Developer at Rackspace. He has had a passion for computers and technology since before he learned about them in the army while serving as a Signal Support System Specialist. Following his Army Career, he moved on to pursue his passion... Read More →
avatar for Jim Freeman

Jim Freeman

Director, Quality and Security Engineering, Rackspace Hosting
Jim is a Director of Quality and Security Engineering at Rackspace. Jim has successfully built a team of specialized security engineers that is part of the development, quality, and delivery process at Rackspace. Jim felt that the best way to interconnect and ensure security testing... Read More →
avatar for Michael Xin

Michael Xin

Manager, Security Engineering, Rackspace
Michael Xin is working as a manager of security engineering in Rackspace. Before that, he worked as a senior application security engineer in Scottrade Inc. Michael is interested in web application / web service / API security, mobile application security and cloud security. Michael... Read More →

Thursday October 23, 2014 3:00pm - 3:45pm
Cypress Room Norris Conference Center, http://lascon.org/venue/

Attendees (0)