7 May, 2019
Penetration Testing in the times of APIs and Microservices
In ever-evolving cyberspace, the sources of threats cannot be limited to a certain extent. Most of the security incidents we see these days are data breaches or denial of service attacks. And when it comes to taking appropriate steps, a wide array of actions needs to be taken in order to achieve the maximum level of security possible. This article throws light on various aspects that play an important role in the security
What are Microservices?
Microservice, or the microservice architecture, is an architectural representation of an application’s structure as a collection of services that are loosely coupled, independently deployed, require high maintenance, and organized around business capabilities.
Figure: Microservices Architecture
Where are microservices used?
We use microservices in those business environments which involve multiple interactions at the same time. The important point is that each independent service has a business boundary wherein it can be independently developed, tested, deployed, monitored, and scaled. These can be even developed in different programming languages.
More or less, penetration testing of microservices is the same as penetration testing of web applications. The idea is to test for multiple flaws in the system or application. To start with, user-supplied input is tested. The most likely scenario of an attack or vulnerability is A1: Injection attacks (SQL, Command, Client-Side code, etc.). Then, the testing process is carried out for logical security vulnerabilities such as authentication, password reset functionality, new user account registration, etc.
A hoverfly is a tool for testing APIs. This tool allows you to perform automated tests that can run distinctly of other microservices. It is platform-independent can run on Windows, Mac, or Linux.
Ambassador is an API gateway that is built on Lyft’s Envoy proxy and communication bus, which allows microservices to register their public API endpoint easily. Once you put microservices in the production environment, you can easily understand their behavior. Envoy provides you with a variety of ways to get statistics about traffic and monitor messages.
Telepresence allows you to replace the running code in a staging Kubernetes or OpenShift cluster, with the application running on your machine. This means that you can manually test your code in a realistic environment or go through your code with the help of a debugger as you reproduce the problem in a real environment.
What is API?
API stands for Application Programming Interface. It allows communication and data exchange between two separate software systems. A software system implementing an API contains functions/sub-routines which can be executed by another software system.
Where are they used?
Penetration testing & APIs
Just like penetration testing of microservices, API penetration testing is quite like web application penetration testing. We follow the same approach in API Penetration Testing, however, the types of attacks that are carried out are a bit different but mostly web application flaws fit in it very easily. Standard vulnerabilities such as OWASP Top 10 are mandatorily needed to be checked.
Zed Proxy an Open Source Tools, developed by OWASP. It is used to find security flaws in web applications.
Fiddler is an open-source tool, which can be used for many purposes like Web Debugging, Performance Testing, Web Session Alteration, and for security testing.
Postman is an API Development and Security testing tool. It is used widely by developers as it is the only tool that provides complete assistance to develop APIs.
Microservices & APIs – Similarities & Differences
Generally, APIs tend to be very large and can perform a lot of different functions. But Microservice APIs do just one job, or small set of closely related autonomous jobs and work in a quick, easy, and discrete manner—like an individual building block. An API makes microservices easier to manage and allows them to coexist with existing legacy systems. Combining a microservices architecture with a holistic API strategy is a proven way of getting the benefits of microservices while limiting the drawbacks.