background
Containers and cloud-native platforms enable enterprises to automate application deployments, delivering huge business benefits. However, these newly deployed cloud environments are just as vulnerable to attack and exploitation by hackers and insiders as traditional environments. Ransomware, cryptocurrency mining, data theft, and service disruption attacks continue to occur against container-based cloud-native environments. Due to the frequent occurrence of major network security accidents caused by the security flaws of the cloud platform, the security testing under the cloud platform is particularly important.
Cases related to network security incidents:
-
In 2017, cyber security led to the leakage of the data of about 148 million American citizens from Equifax, a US credit reporting company. (Source: Xinhuanet)
-
In 2018, Tesla's cloud server was hijacked by hackers and turned into a cryptocurrency mining machine, and confidential data was leaked. (Source: Netease)
-
In 2022, HSBC Internet Bank was attacked by a denial of service attack (DDOS) and was paralyzed twice in less than a month. (Source: Safety Dog)
A Security Perspective in the Cloud Era
So how to carry out security testing in the cloud native environment? First of all, let us understand the differences in security perspectives and security testing priorities in different eras.
In the terminal era of monolithic architecture, the presentation layer, business logic layer, and data access layer of all business scenarios are placed in one project, and then compiled and packaged to be deployed on a server. The structure is relatively simple, and the protection is relatively easy. .
In the age of the Internet, use a service-oriented architecture. This architecture splits the different functional units of the application and connects them through well-defined interfaces and contracts between services. This architecture makes security protection more complicated. It requires an application-level firewall and relevant protection for IDP, SSL, and VPN.
In the era of cloud, use the architecture of microservices. The microservice architecture is actually a combination of multiple services. These services open different ports and multiple application APIs, which will increase the attack surface of the network and pose serious security challenges. In this case, all microservices need to be adequately protected to overcome this security threat.
Challenges Facing Security Testing in the Cloud Era
After understanding the differences in security perspectives in different eras, let us examine the challenges faced by security testing technology in the cloud era compared with traditional security testing from these differences :
- The microservice architecture brings a large amount of internal network traffic and a dynamic and complex network environment, which makes the internal visibility of the cloud network very low, so that traditional network security testing methods are not up to the task
- The elastic scaling characteristics of resources make it difficult for traditional security testing schemes to play a role, and cannot effectively test the ultimate security of the system
- A large number of open source software vulnerabilities, complex internal attacks, and rapid iteration of applications make us have higher requirements for the timeliness of security protection.
Due to the security testing challenges faced in the cloud era, traditional security testing methods and tools cannot be effectively dealt with due to differences in architecture and technology, such as: detecting container vulnerabilities, identifying information flowing within the cloud network, and lack of scalability with large-scale deployments etc. Therefore, it is necessary to adopt more advanced technologies and tools for more effective security testing.
Cloud Native Security Testing Solution
Traditional security testing tools and methods cannot be applied to security testing in cloud-native environments, so it is necessary to introduce some special security testing tools and testing methods in cloud-native environments, and design a new security testing solution based on the characteristics of cloud-native networks and infrastructure , to solve the blind spots that these traditional security testing tools cannot cover.
Before we design a cloud-native security testing solution, let us first understand the content of cloud-native security testing .
- At the infrastructure level, we need to carry out host and infrastructure security compliance testing, Docker/Kubernetes standard compliance testing, mirroring vulnerabilities, virus scanning testing, mirroring auditing testing, cloud database and storage security testing
- In terms of image security, we need to carry out image vulnerability, virus scanning, automatic real-time scanning, and third-party log tool integration testing
- At the cloud-native network level, we need to carry out cloud-native network security testing, cloud-native CNI integrated security testing such as Macvaln, Calico, and Ovs, etc.
- In terms of application and container security testing, we need to carry out container virus scanning tests and application vulnerability scanning tests
- When the application is running safely, we need to carry out the security test of the service runtime and the malicious process scanning test
- At the same time, we can also combine some traditional penetration testing methods to carry out relevant penetration testing on cloud storage, databases, and operating systems
Open Source Security Testing Toolbox
Based on the above cloud-native security testing content, introduce a set of test solutions designed based on open source security tools, and then we can carry out our security testing. This set of security testing tools, we call it open source security testing Toolbox, the Open Source Security Testing Toolbox contains the following tools:
- Total Cloud Native Infrastructure Security: NeuVector
- Mirror audit and vulnerability, virus scanning test: Clair, Anchore, Dagda
- Cloud native network security testing: kubescape
- Container Runtime Security Testing: Falco
- Container Virus Scanning Test: ClamAV
- Penetration testing: sqlmap, Metasploit
Using an open source security testing toolbox for cloud-native security testing has the following advantages:
- Economical: Using open source tools, compared with other commercial solutions that cost millions or tens of millions, the cost of using tools is zero.
- Security: You can view and obtain the source code of all detection tools to match the special security needs of industries such as finance, government, and military.
- Scalability and comprehensiveness: Thousands of community security testing tools can arbitrarily expand cloud-native security testing strategies according to customer needs, covering all security testing blind spots of customers.
- Flexibility: You can flexibly customize cloud-native security solutions, and choose the most appropriate cloud-native security testing strategy according to customer needs.
Next, we use Nginx, Nodejs and Redis to deploy multi-layer applications, and use the open source security tool NeuVector to demonstrate and conduct threat attack testing:
-
Create a test demo namespace: kubectl create namespace demo
-
Create Redis service and deployment using yaml
apiVersion: v1 kind: Service metadata: name: redis namespace: demo spec: ports: - port: 6379 protocol: "TCP" name: "cluster-tcp-6379" clusterIP: None selector: app: redis-pod --- apiVersion: apps/v1 kind: Deployment metadata: name: redis-pod namespace: demo spec: selector: matchLabels: app: redis-pod template: metadata: labels: app: redis-pod spec: containers: - name: redis-pod image: redis -
Create Nodejs service and deployment using yaml
apiVersion: v1 kind: Service metadata: name: node namespace: demo spec: ports: - port: 8888 protocol: "TCP" name: "cluster-tcp-8888" clusterIP: None selector: app: node-pod --- apiVersion: apps/v1 kind: Deployment metadata: name: node-pod namespace: demo spec: selector: matchLabels: app: node-pod replicas: 3 template: metadata: labels: app: node-pod spec: containers: - name: node-pod image: nvbeta/node -
Use this yaml to create Nginx service and deployment
apiVersion: v1 kind: Service metadata: name: nginx-webui namespace: demo spec: ports: - port: 80 name: webui protocol: TCP type: NodePort selector: app: nginx-pod --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-pod namespace: demo spec: selector: matchLabels: app: nginx-pod template: metadata: labels: app: nginx-pod spec: containers: - name: nginx-pod image: nvbeta/swarm_nginx ports: - containerPort: 80 protocol: TCP -
Access the Nginx service externally, and find the random port assigned to it by NodePort (mapped to port 80:
kubectl get svc -n demo -
Then connect to the public IP address/port of one of the kubernetes nodes, eg:
http://(public_IP):(NodePort) -
Log in to the container, install the DDos attack tool hping3 inside the container, and start simulating the attack:
kubectl exec -it node-pod-name bash -n demo install hping3 ifconfig 10.1.213.79 -
Launch an attack on another container node:
hping3 -c 100000-d 120-S -p 80-w 64 --flood --rand-source 10.1.213.85 -
Open the "Notification→Security Event" page to view the alarm information
The alarm information contains the relevant content of the Ping Death attack container, and NeuVector automatically records the violation action. The expected result of the test is consistent with the actual result, and the threat attack test case is passed.
Cloud native D ev S ec O ps
DevSecOps is actually a step of adding Security on the basis of DevOps. The concept of DevSecOps was proposed in 2012. It integrates the concept of security testing into the entire concept of DevOps, and it will continue to run during the entire development and operation and maintenance process. related to security testing. It has several features, and it will be integrated with the CI/CD pipeline to move tests left and right. It can be connected to the standard monitoring and alarm system to realize 24-hour security monitoring of applications running in R&D and production environments.
DevSecOps emphasizes that security is the responsibility of everyone in the team. Whether we are in R&D testing or operation and maintenance, the concept of security must run through the entire life cycle of the product. It solves the problems of isolation, lag, randomness, coverage, and change consistency of security testing. By solidifying the process, the collaboration of different personnel is strengthened. Through tools and technical means, part of the security testing work that can be automated and repeated is integrated into the entire R&D system, so that the security attributes of the product are embedded in the entire R&D and operation and maintenance pipeline.
Summarize
When we use open source cloud-native security testing tools combined with penetration testing tools, methods and means, and design a good security testing strategy, we can well carry out cloud platform infrastructure compliance testing, container network security testing, and container runtime security testing. Specific security tests in cloud-native environments, such as cloud testing and image security testing. In order to understand the security risks and risks of the cloud platform and cloud applications, and to continuously improve the security of our cloud platform and cloud applications by repairing related security risks and risks.
Finally: The complete software testing video learning tutorial below has been sorted out and uploaded, and friends can get it for free if they need it【保证100%免费】
These materials should be the most comprehensive and complete preparation warehouse for [software testing] friends. This warehouse has also accompanied tens of thousands of test engineers through the most difficult journey. I hope it can help you too!
