OpenStack Summit May 2015 Vancouver

 

As OpenStack becomes popular, Continuous Integration and Continuous Deployment (CI/CD) of OpenStack is gaining attention. Customers need the ability to deploy multiple times every day to meet their business needs. This is a huge challenge to application security.   Traditional web application security testing and API security testing are manual processes aided by various tools. The tests are time consuming and lack consistence. It is almost impossible to embed these types of security testing into CI/CD process. 

 

In Rackspace, security engineering team is working with quality engineers and developers to integrate security testing into CI/CD process. Security engineering team uses the same framework/tool that quality engineer use to ease integration. Currently we are focusing on API security testing automation and web application security testing. We are working on a couple of approaches to integrate security-testing cases with QE testing framework. The security test cases cover necessary security checks including common security vulnerability checks and some product specific checks. These security test cases can be run by anyone from the team. They can also be invoked as Jenkins jobs as part of integration test. The failed security test cases indicate some types of security defects and need to be remediated. 

 

The security testing automation improves the consistency, repeatability and auditability of our security testing process. Security testing within CI/CD process can detect security defect in early stage and reduce remediation costs.