OWASP ZAP

With millions of web applications out there, it is only natural to see increased attacks on these web applications from hacker communities. OWASP i.e. Open Web Application Security Project aims to help web developers with the knowledge of various security threats and also to produce tools and technologies to help with tightening the security of their web applications. ZAP is one such tool from OWASP and helps with penetration testing.

Representative image depicting hacker attack on the webapp which can be emulated using OWASP ZAP

Penetration Testing aka pen-testing is a type of testing where the tester tests the application with the goal to break into the system to steal data just like a hacker. It involves the manipulation of requests at various levels (header, payload etc) and thereby finding a way through the server application to data. This is where ZAP comes into the picture – to help testers do all the manipulations easily.

ZAP – Zed Attack Proxy

ZAP is a free and open-source pen-testing tool maintained under OWASP. It is built in Java and is designed specifically for testing web apps. As a seasoned software engineer can guess, this proxy is a “man-in-the-middle” proxy. It is deployed between the tester’s browser and the web app under test. Entire traffic from the browser flows through this proxy. This enables the proxy to make necessary changes to the request to facilitate the testing.

How ZAP works?
Image Source: https://www.zaproxy.org/getting-started/

Availability and Usage of OWASP ZAP

ZAP is available on all the major operating systems and is not tied with any single OS. More importantly, it is also available on Docker making life easy for the testers. There is a marketplace where one can find various plugins which is accessible from the ZAP client itself.

A tester can run the automated scan by providing the URL to attack. ZAP will crawl the application using its built-in spider and then provide the results at the end of the scan. Based on the severity the developers can schedule fixing the identified issues.

One can easily integrate ZAP with Jenkins for your CI/CD pipeline. You can also integrate it with Selenium along with your automation testing.

Reference Links:

Related Keywords:

Security, CSRF, Sidejacking, XSS, Reverse-Proxy

IPFS

As you are aware the world is moving toward decentralized systems from centralized ones. Current web architecture is highly dependent on the central location of the data served by the servers. Although distributed geographically, it is still a client-server architecture and hence is commonly categorized as centralized architecture. With the increased usage of blockchain-based technologies, the world has now taken note of the need for decentralized architecture for the web and that is where the IPFS i.e. InterPlanetary File System comes into the picture.

What is IPFS?

In simple terms, it is a peer-to-peer hyper-media protocol for storing and sharing data. It enables the creation of distributed applications with a special focus on making the web faster and more open. It also refers to the distributed file system that can connect all the computing devices with the same system of files. As you can see the same term is being used for protocol as well as a file system. And if you dig deeper there is more usage of the same term:

  • As a protocol – defines content-addressed file system, helps content delivery
  • As a file system – has directories and files and can be a mounted file system
  • As a web – content can be accessed via HTTP
  • As CDN – a file added locally can be easily accessible globally just like CDN
Depiction of HTTP vs IPFS clearly showing the difference between both. 
Source: https://datatracker.ietf.org/

IPFS is still in the development stage but is generating a lot of buzz. Recently, the 80+ developers/implementers got together to push the implementation further.

IPFS was created back in 2014 and its alpha version was launched in 2015. Since then it has gathered good momentum along with other distributed technologies.

Use cases

Some interesting use cases are emerging out of this emerging technology.

References

Related Keywords

DApps, BlockChain, Cryptography, EFS

Gunicorn

It has been raining Unicorns in India over last few months (albeit it has slowed down over last few weeks). However Gunicorn has nothing to do with the unicorns that we are seeing in the startup world. It is a most common name used in the Python world and let’s understand more about it in today’s term.

"GUnicorn - representative image of unicorn. It is an application server used for Python based frameworks.

Photo by Kindel Media" title="Representative image"

What is Gunicorn

It is a python WSGI application server for UNIX. WSGI means Web Server Gateway Interface. This component provides a way for python based frameworks to be accessible over the internet via reverse proxy. A typical web setup for a python framework involves Nginx, a WSGI server like Gunicorn or uWSGI and a web framework like Django or Flask.

Gunicorn can really work with a host of web servers including Nginx, and Apache and also can work with several web applications as long as those applications can interact via the WSGI interface.

It is a pre-fork worker model ported from Ruby’s Unicorn project.

https://gunicorn.org/

Gunicorn is made to serve one application per instance and to provide a way of running that application as efficiently as possible. It also takes care of managing the worker processes that run your app, so you can focus on developing your code and features.

Advantages of Gunicorn

It is one of the good-performing application servers that is easy to configure and is less CPU intensive. At some point, Instagram used to run Django + Gunicorn when they phased out mod_wsgi and replaced it with this application server. Additionally, it takes care of everything between the web server and your application, leaving your application to do what it is meant for. Easy to configure and easy to maintain, it is a common choice for several leading websites mentioned below.

Alternatives:

  • uWSGI
  • mod_wsgi with Apache
  • Nginx
  • IIS
  • OpenResty
  • LiteSpeed

Some popular websites that use this component as the application server include Mozilla.org, Twillio.com and ubuntu.com. (Statistics)

References:

K8ssandra

Folks working with Kubernetes would be able to relate to the word “K8ssandra” very quickly. Something related to Kubernetes (more fondly called K8s). Yes, that is right.

Apache Cassandra is a preferred database for many large-scale applications. Kubernetes has been providing orchestration tooling and infra for several of these applications. Combining these two under a single umbrella helps enterprises to meet their requirements easily.

What is K8ssandra?

It is a cloud-native distribution of Apache Cassandra that runs on Kubernetes. Pronounced as “kate”+”Sandra”, this is an open source project licensed under Apache Software License v2. This project provides a plethora of tools to provide data APIs and automated operations for Cassandra. This includes tools for monitoring, services for site reliability, and backup/restore tools.

Cassandra is a distributed database management system. It is a free and open source project that provides a scalable, highly available, fault-tolerant, column-oriented database to support large amounts of data across many commodity servers.

Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. (Source)

Creating, deploying managing various components of Kubernetes structure such pods, deployments and ConfigMaps could be time intensive and complex. As your architecture grows, this becomes all the more difficult. However, K8ssandra does the heavylifting for you. And as a infrastructure engineer or even a developer, it is always better if you have a reliable tool who does that job for you.

Components

K8ssandra components
Image source: https://docs-v2.k8ssandra.io/components/

It provides a set of components which are glued together as part of the installation process itself. The following components are packaged and installed:

  • Apache Cassandra
  • Stargate
  • Cass Operator
  • Reaper for Cassandra
  • Medusa for backup/restoration
  • Metrics collector with Prometheus integration and visuals via Grafana

Resources:

Capistrano

This is yet another tool in the armoury of a DevOps engineer. In simple terms, Capistrano is a remote server automation tool.

Capistrano Beach and Beach Road photo D Ramey Logan.jpg from Wikimedia Commons by D Ramey LoganCC-BY-SA 3.0

Developed on Ruby, Rake, and SSH, this tool allows the DevOps team to deploy web applications to several machines simultaneously. Additionally, it also allows the engineer to script arbitrary workflows over SSH and automate common tasks in software teams.

The tool has a scripting approach, and hence it is very easy to tie it up with other scripting tools and form a part of larger toolset.

Some key features of Capistrano are:

  • Strong Convention: It has a standard deployment process that all Capistrano-enabled projects follow by default. Capistrano has a well defined structure which is easy to follow across the projects.
  • Multiple Stages: Once a flow is developed, you can simply parameterise the script for different stages/environments (QA, staging, UAT, and production)
  • Parallel Execution
  • Community driver

Many-a-times simple bash script can also do the job for a DevOps engineer. However, it always helps to have a structured way of automated deployment. Tools like this one allow the agile teams to achieve their goals in shorter timespan by automating simple tasks. Other similar tools include Ansible, Chef/Puppet etc. Even Docker can address some of the automation tasks if they are as simple as creating a new image and using it across the server farm.

Alternative DevOps Tools for Capistrano

Related Links