Welcome to another inside story straight from the Wallarm labs. Today we’re taking you behind the scenes of our self-testing journey, showcasing how we "drink our own champagne" by implementing our Framework for Application Security Testing (FAST) to strengthen the security of our APIs. The intent is to illustrate how our API security journey not only solidifies our product, but also reinforces our core value: creating the most secure environment possible for our users.
The Value of FAST
The whole point of FAST is to reuse existing development tests to automatically create and augment security tests, and integrate that into the development process.
- Without FAST – Security engineers manually create test cases, research business logic, etc. from scratch (or based on similar apps).
- With FAST – Security engineers reuse smoke and integration tests, adding only fuzzing and testing policies, which QA uses to test new releases.
From Security Testing to Enhanced User Experience: The Dual Goals
At Wallarm, the quest for ultimate security never ends. One way of continually raising the bar is implementing our own FAST technology to identify vulnerabilities in our APIs during the early stages of development. Our focus is not just on reducing API security risks, but also on continually improving user experience and testing the product itself.
Unveiling the Layers: Wallarm’s FAST Experience
Self-testing (aka dogfooding, fishfooding, icecreaming, or drinking our own champagne) our FAST technology has given us several valuable insights, such as improvements in user interface (UI), troubleshooting, observability, and performance. We learned how to run tests more efficiently, discovered how to better display data of our test results, and recognized the importance of a detailed problem analysis interface. We also identified what information was essential for understanding the requests and checks made by FAST, and where performance optimizations were needed.
Our Testing Process: Maintaining Quality and Security
Our relentless pursuit of excellence means we conduct a new audit whenever a new version of cloud services or the FAST Proxy is released. This helps us discover and address any FAST-related bugs before deploying them into production.
Our approach to testing involves smoke tests and a cloud audit, where smoke tests are performed on the application, protected by Wallarm. The tests made requests to the cloud via the FAST Proxy by adding the IP address of FAST to the allowlist, allowing us to bypass Wallarm protections.
Smoke and UI Tests: Testing the Basic Functionality
Smoke tests, written as black-box tests using Python, pytest, and Playwright, serve as the foundation of our testing process. They evaluate our system's most fundamental functionality by using the same interfaces as our customers. Most of these tests make requests to the Wallarm cloud, thereby checking critical use cases and ensuring robust security.
UI tests are carried out using the Playwright framework to verify that all dashboards are functioning correctly, and the primary elements are loading as expected.
API Tests: Diving Deeper
API tests, which constitute the majority of our tests, involve calls to the cloud to create rules, triggers, check event lists, and IP lists. These tests encompass various GET, POST, DELETE, PUT, and other requests, providing a comprehensive assessment of our APIs.
Docker and GitLab Workflow: Streamlining the Testing Process
To facilitate a smooth testing process, we use Docker. To run these tests, we run a Docker container with all the FAST components inside. This FAST Node shares data with the cloud, where we can start tests and configure policies. This setup is easily deployed both locally and in a CI/CD environment.
Our GitLab workflow consists of scheduled and manual launches, with an option to pass a policy_id for manual triggering, enabling more accurate and speedy usability checks.
A Use Case: Identifying BOLA
To detect Broken Object Level Authorization (BOLA) vulnerabilities, we designed a special test. We created a client that did not appear in any of our tests, and replace the value of clientid in the query with the id of this pre-created client. If the response returns a 200 status code, we know there was a potential BOLA vulnerability.
The Process: Involving QA, Development, and Security
Our security testing process is a collective effort, involving QA engineers, developers, and security engineers.
QA engineers are responsible for the pipeline, architecture, auto-tests, and solution configuration. When an error pops up unrelated to a vulnerability, our QA engineers analyze and rectify the issue. Unlike other companies, our QA team independently writes the GitLab workflow.
Developers, on the other hand, take on the responsibility of analyzing and fixing any vulnerabilities that FAST discovers.
Security engineers are involved in many vital aspects of the process, including:
- Understanding and developing use cases based on OWASP Top-10 risks and customer input.
- Leveraging real-world attack data to improve cutting-edge protections.
- Interpreting results and developing plans for further action / inspection.
Wrap Up: Value of Dogfooding and Our Commitment to Security
At Wallarm, we don't just build security products, we use them – and we're dedicated to creating a safer digital world, one application at a time.
Drinking our own FAST champagne exemplifies the benefits of practicing what you preach. By using our own product for API security testing, we not only bolster our own security stance but also fine-tune the user experience, understanding our product from our user's perspective. This approach allows us to proactively discover and fix issues, leading to more robust and reliable services for our customers.
This endeavor underscores our belief that there is no better way to understand our products and improve upon them than to become our own user. The insight we gain from these efforts helps us to better anticipate the needs and concerns of our more than 200 customers. It's just one way we demonstrate our commitment to continuous improvement, transparency, and customer focus—core values that drive everything we do at Wallarm.
We wholeheartedly believe that our products and technologies provide our customers with outstanding value in addressing their application security needs, and we're delighted to have the opportunity to demonstrate this through our use of FAST.
If you're intrigued and wish to dive deeper into the capabilities of FAST, including its fuzzing feature, we invite you to visit our documentation at https://docs.fast.wallarm.com. Learn firsthand about the rich functionality and robust security features that FAST can bring to your application security needs.