DevSecCon22, Mario-Leander Reimer (@LeanderReimer, Principal Software Architect @QAware). == Dokument bitte herunterladen, falls unscharf! Please download slides if blurred! == Continuous delivery is everywhere. Really?! Many teams still struggle to deliver well-tested and secure product increments on a regular basis. Usually with the same old excuse: the (non)-functional tests are too complex and too expensive to implement thoroughly. But exactly the opposite is the case! In this talk, we briefly review the importance of early and regular testing of cloud-native applications and explain why monolithic CI pipelines are a dead end. We then show how easy it is to run security tests continuously and event-triggered using ZAP and Testkube directly on your Kubernetes cluster against your microservice OpenAPIs, fully integrated with a GitOps approach. Our speaker is Mario-Leander Reimer, Passionate developer. Proud father. #CloudNativeNerd. Leander works as a principal software architect at QAware. He’s continuously looking for innovations in software engineering and ways to combine and apply state-of-the-art technology in real-world projects. As a speaker at national and international conferences he shares his tech experiences and he teaches cloud computing and software quality assurance as a part-time lecturer.

1. qaware.de
Continuous OpenAPI Security Tests on K8s
with Testkube and ZAP
Mario-Leander Reimer
mario-leander.reimer@qaware.de
@LeanderReimer
@DevSecCon #Testkube

2. 2
Mario-Leander Reimer
Principal Software Architect
@LeanderReimer
#cloudnativenerd #qaware
#gernperDude

3. Holistic security still seems to be a neglected
non-functional requirement in many software
projects and agile teams.

4. Security is one of several software product quality attributes.
Which one is more important?
QAware | 4
Software Product
Quality
(ISO 25010)
● Modularity
● Reusability
● Analysability
● Modifiability
● Testability
Maintainability
● Confidentiality
● Integrity
● Non-repudiation
● Authenticity
● Accountability
Security
● Adaptability
● Installability
● Replaceability
Portability
● Co-existence
● Interoperability
Compatibility
● Maturity
● Availability
● Fault Tolerance
● Recoverability
Reliability
● Time Behaviour
● Resource Utilization
● Capacity
Efficiency
● Completeness
● Correctness
● Appropriateness
Functional Suitability
● Operability
● Learnability
● UI Aesthetics
● Accessibility
Usability

5. Mastering the tools, techniques and technologies required for
Continuous Delivery is not easy!
QAware | 5
Continuous
Delivery
Low Risk
Releases
Less
Rework
Fast Time
to Market
Better
Products
Lower
Costs
Happier
Teams
Happier
Users
Loosely Coupled Architectures
Maintainable Code
Empowered Teams
Continuous Security from Day 1
Test
Automation
Continuous
Integration
GitOps
Deployment
Automation
Monitoring and Alerting

6. Monolithic, linear CI/CD pipelines are suboptimal and will
result in delayed feedback and long release cycles.
QAware | 6
Usually delayed until the end of sprint or the release.
Which one first? Functionality vs. Performance vs. Security?

7. Why not run (non)-functional tests against a
cloud-native microservice architecture
continuously, or triggered on the cluster itself?

8. Digital Product
Assembly Line

9. Conceptual PAL Architecture
QAware | 9
Packages
Package
publish
update
Run
deploy
watch
Deploy
watch
Dev GitOps
Build
push
Checkout Build Test Quality Package
Dev
Test (E2E, NFA)
trigger
test
Tests

10. lreimer/testkube-zap-demo

11. OWASP Zed Attack Proxy (ZAP)
QAware | 11
■ Widespread and well-known open source web application vulnerability scanner
■ Detailed documentation. International community.
■ Several modes of operation: Intercepting Proxy, Active und Passive scanner, HTTP Spider, Brute
Force Scanner, Port Scanner, OpenAPI v3, SOAP, GraphQL, Web Sockets
■ ZAP provides a powerful API and tools for Security Scanning Automation
■ The official ZAP Docker images provide an easy way to run ZAP, especially in CI/CD and container
runtime environments such as Kubernetes
– API Scan - a full scan of an API defined using OpenAPI / Swagger, or GraphQL
– Baseline Scan - a time limited spider which reports issues found passively
– Full Scan - a full spider, optional ajax scan and active scan which reports issues found
– Webswing - run the ZAP Desktop UI in a browser
■ https://www.zaproxy.org/docs/

12. Hello Testkube.
Your friendly cloud-native testing framework for Kubernetes
QAware | 12
■ Testkube natively integrates test orchestration and execution into Kubernetes and your CI/CD or
GitOps pipeline
■ Avoids vendor lock-in for test orchestration and execution in CI/CD pipelines
■ Makes it possible to decouple test execution from build processes; test engineers should be able to
run specific tests whenever needed
■ Makes it easy to run any kind of tests - functional, load/performance, security, compliance, etc. in
your clusters, without having to wrap them in docker-images or providing network access
■ Provides a modular architecture for adding new types of tests and executors
■ https://github.com/kubeshop/testkube

13. Demo Architecture and Testkube Concepts
QAware | 13
default
testkube
Testkube Dashboard
Webhook
Receiver
Testkube API Server
CRDs
CI/CD
System
Dev
Executors
Test
Test
Suite
Microservice
trigger
flux-system
run
Mongo
DB
NATS
Minio
S3
CLI
start
store
watch
Test
Trigger
SUT
Monitoring
System
Test
Source

14. qaware.de
QAware GmbH
Aschauer Straße 32
81549 München
Tel. +49 89 232315-0
info@qaware.de
twitter.com/qaware
linkedin.com/company/qaware-gmbh
xing.com/companies/qawaregmbh
slideshare.net/qaware
github.com/qaware
Contact details ...