Jump to: navigation, search

Difference between revisions of "GSoC2014/Testing/Fuzz"

(Implement a Fuzz testing framework that can be run on Tempest or a similar framework)
(Implement a Fuzz testing framework that can be run on Tempest or a similar framework)
Line 10: Line 10:
 
|}
 
|}
  
Intro - Why we need it
+
== Introduction ==
 
OpenStack project is getting larger and more complex. It's adoption has also increased significantly, with customers expecting it to be more secure. Currently, many efforts are underway to ensure OpenStack platform is secure. But, an automated mechanisms to test for vulnerabilities is not part of OpenStack testing/ gating process yet. This results in most of the vulnerabilities reported are discovered at the customer site.  
 
OpenStack project is getting larger and more complex. It's adoption has also increased significantly, with customers expecting it to be more secure. Currently, many efforts are underway to ensure OpenStack platform is secure. But, an automated mechanisms to test for vulnerabilities is not part of OpenStack testing/ gating process yet. This results in most of the vulnerabilities reported are discovered at the customer site.  
  
There are different mechanisms to test for security vulnerabilities, Fuzz testing being most popular of them. This project aims at enabling fuzz testing of OpenStack APIs and integrating such tests with OpenStack test framework such as Tempest.  
+
There are different mechanisms to test for security vulnerabilities, [http://en.wikipedia.org/wiki/Fuzz_testing Fuzz testing] being most popular of them. This project aims at enabling fuzz testing of OpenStack APIs and integrating such tests with OpenStack test framework such as [http://docs.openstack.org/developer/tempest/ Tempest].  
  
 
== Assumed Knowledge ==
 
== Assumed Knowledge ==
Line 22: Line 22:
 
== Project Goals ==
 
== Project Goals ==
  
* Enable project by project, success being enabling on at least 1 complete project
+
* Design and Implement Fuzz testing framework that can fuzz OpenStack APIs by generating configurable combninarions (random or pattern based)
 +
* Integrate above fuzz test framework with OpenStack Tempest test framework
 +
* Enable fuzz testing on at least one OpenStack project (OpenStack Nova for example)
  
 
== Project Nice-to-Haves ==
 
== Project Nice-to-Haves ==
 +
* Enable on more than one OpenStack project (OpenStack Swift for example)
 +
* Enable automated reporting of security vulnerabilities to the OpenStack Security Group
  
 
====== Suggestions ======
 
====== Suggestions ======

Revision as of 18:16, 14 February 2014

Implement a Fuzz testing framework that can be run on Tempest or a similar framework

Difficulty Hard
Topics testing, tempest
Mentor Sriram Subramanian

Introduction

OpenStack project is getting larger and more complex. It's adoption has also increased significantly, with customers expecting it to be more secure. Currently, many efforts are underway to ensure OpenStack platform is secure. But, an automated mechanisms to test for vulnerabilities is not part of OpenStack testing/ gating process yet. This results in most of the vulnerabilities reported are discovered at the customer site.

There are different mechanisms to test for security vulnerabilities, Fuzz testing being most popular of them. This project aims at enabling fuzz testing of OpenStack APIs and integrating such tests with OpenStack test framework such as Tempest.

Assumed Knowledge

  • Python
  • Introduction to OpenStack or Cloud Management Platforms is preferred, but not required
  • Introduction to Fuzz testing/ Penetration testing is preferred, but not required

Project Goals

  • Design and Implement Fuzz testing framework that can fuzz OpenStack APIs by generating configurable combninarions (random or pattern based)
  • Integrate above fuzz test framework with OpenStack Tempest test framework
  • Enable fuzz testing on at least one OpenStack project (OpenStack Nova for example)

Project Nice-to-Haves

  • Enable on more than one OpenStack project (OpenStack Swift for example)
  • Enable automated reporting of security vulnerabilities to the OpenStack Security Group
Suggestions