HTTP 503: Preventing Downtime With Security Testing

Developers Need to Prevent Downtime at All Costs

Each developer who works on a web service bears incredibly huge responsibilities. Especially when it comes to eCommerce platforms, health services, or trading platforms, any downtime of the service can be devastating.

In the worst-case scenario, customers lose their trust in your platform and turn their backs on your service. That would be a total disaster for everyone who is involved in the incident, especially for the guy(s), who are responsible for the security and availability of the platform.

Panic_Meme_500x300 When your platform is down again!

But Why Is It So Hard to Secure Web Services?

Complex web services and platforms have many dependencies and different modules that communicate with each other. This makes it very difficult to secure these applications. Not only the individual modules need to be tested, but also the various interfaces (APIs) between the modules.

However, testing each module individually is incredibly time-consuming. Also, a great number of bugs probably remain undiscovered, because they only get triggered if all modules interact with each other in the running application. These unpredictable inter-dependencies represent a major security risk for many web services.

To Prevent Downtime, You Need to Automate Your Security Testing

To ensure the reliability and availability of your services, you will have no other chance than to test your web applications with a holistic approach. This means testing entire monoliths or microservice systems as a whole. But with so many test scenarios and edge cases to be covered, you definitely need some kind of automated security testing.

And if you think about it, it really makes sense to automate your testing process as much as possible for many reasons. By automating your security tests, you would finally have more time for all your other tasks AND your application would become more reliable and secure at the same time.

The Best Way to Automate Your Security Testing for Web Services

Of course, there are several ways to automate your security testing. For example, with black box scanners, such as OWASP ZAP or Burp Suite. But for web services, I personally prefer fuzz testing. Because it works with the source code and will eventually cover more code coverage than other testing approaches.

With modern fuzz testing solutions like CI Fuzz, it also has become really easy to test either individual web applications, or the entire communication between the different modules and microservices at once. This can help you discover bugs that would otherwise have remained undetected. In my opinion, this makes fuzz testing the best approach to test a web service with all its inter-dependencies.

How to Fuzz Web Services? (The Big Picture)

The best way I can answer this question is, by giving you an example. In this scenario, there are three web services that are running inside a Kubernetes environment.

In the past, developers and pen-testers had to test each service and API manually, and each component had to be tested individually. There was no way to test interdependent services that interact with each other with only one automated testing approach. Instead, developers and pen-testers relied on a combination of different tools and testing approaches, which made it very complicated to secure your web services properly.

How they secured web services in the old days

But today, many testing solutions can help you to fuzz your whole microservice environment at once. CI Fuzz, for example, offers simple plug-and-play integration that makes it very easy to set up fuzz testing for web services. The process is as simple as running a black box scanner and will help improve the reliability and availability of your web service significantly. This way, you can prevent downtime.

How to increase your code coverage, by fuzzing
your entire microservice environment at once.

The fuzzer starts by simply sending HTTP 503 requests to the application, and behaves like a client that knows nothing about the application. However, by injecting a couple of fuzzing agents into the JVM, the fuzzer will get detailed feedback about the structure of the applications. With this knowledge, the fuzzer can then mutate and adjust its inputs to achieve even higher code coverage with each run. If you want to dig deeper than technology, I can also recommend this article about the magic behind feedback-based fuzzing.

Fuzzing Improves the Reliability of Your Web Service

Although this approach cannot fully replace a final pentest, fuzzing can help you to already fix most of the low-hanging fruits in a very early stage of your development process, additionally preventing downtime. You will find most OWASP vulnerabilities with this approach because the fuzzer automatically monitors the program for any exceptions such as crashes, denial of service errors (DoS), and injections. This will help you to improve the reliability and security of your platform.

If you're curious to see, how this approach works in action, I prepared a tutorial on how to fuzz web services in a complex Kubernetes environment. And if you would like to try out the CI Fuzz testing platform yourself, reach out to me via email or Twitter.

Click here to access the full tutorial.

About Simon

Simon Resch is a Senior Software Engineer at Code Intelligence. He is a specialist for fuzzing Java applications and was one of the leading developers behind Jazzer, an open-source fuzzer for the Java Virtual Machine (JVM). Jazzer has since been integrated into Google's open-source fuzzing framework OSS-Fuzz, and now contributes to secure many popular open-source applications, like Apache/PDFBox or OWASP/json-sanitizer.