 Hey, my name is Fernando and I'm a technical marketing manager here at GitLab and today I'm going to go over web API fuzzing API fuzzing helps you discover bugs and potential security issues that other QA processes may miss API fuzz testing sets operation parameters to unexpected values in an effort to cause errors in the API backend web API fuzzing requires a web API and some other assets I'm going to go over fuzzing on open API using a REST API First we add the GitLab API fuzzing configuration file to the repositories route The configuration file has several testing profiles defined with varying amounts of fuzzing GitLab provides this config file with profiles that can get you started Next we create an open API specification Your project may already have an open API specification created. You can use it directly You can see examples of open API specifications in the links in the description Now let's enable API fuzzing in the pipeline In order to do this we add the API fuzzing template to the GitLab CI YAML file along with some variables These variables include fuzz API profile, which defines which fuzzing profile to use from the configuration file fuzz API open API, which points to the open API specification and fuzz API target URL, which points to the live application we are targeting Now let's take a look at the results from API fuzzing Here's an MR which changes the code to return a 500 if the request body is too large Now let's go to the MR overview and expand the security tab We can see a new vulnerability detected by web API fuzzing Once you click on the vulnerability you can see detailed information as to how it occurred helping you solve it in no time Now I'm going to pass it over to principal product manager Sam Kerr to go over the API fuzzing roadmap I'm Sam Kerr. I'm a principal product manager here at GitLab Responsible for the fuzz testing category of GitLab and today I want to talk a little bit more with you about our upcoming roadmap for API fuzz testing So what I'm sharing on the screen now is going to be subject to change It's our current plans right now at GitLab We plan ambitiously so we'd love to get your feedback and help and have you help us shape this roadmap So I want to focus on a few of the near-term things that we're going to be looking at for API fuzz testing And the first of those is providing better authentication support for API fuzz testing We know that modern applications today generally require some sort of authentication And so we need to make sure that the fuzz testing engines are able to support modern sorts of application authentication approaches so that you can get the best results from your fuzz test We're also focusing on improving the user experience of API fuzz testing We've heard a number of times that it can be difficult to get started with API fuzz testing And so one of these improvements we're working on is Providing a wizard-like experience to help you configure and set up the fuzz tester to make it really easy to get started with In the near-term, we're also updating some of the technical underpinnings of API fuzz testing By updating things like the version of C sharp we're using as well as reducing technical debt that we've identified Each of these in the slide has a link to the epic or issue. We'd love for you to engage on them directly with us If we look a little bit further out, some of the things that we're putting our plans together for API fuzz testing are revolving around test framework integration And what we mean by this is we know that applications today generally have existing test suites written in frameworks like j unit or various python testing frameworks or any language dependent framework And rather than require you to generate new specification files new test files for API fuzzing We're looking at ways that we can actually leverage the existing test cases You already have and use those to inform the fuzz tester on how to get started We're also looking at how we can provide what we call no config API fuzz testing And what we mean by this is being able to simply point the fuzz tester at your application's repository and hit go We want to make it Function in such a way that there's no configuration files that you have to create edit or update to get an initial fuzz testing result After we've completed our work on no config fuzz testing us Very close jumpy would then make is how could we integrate API fuzz testing inside of auto dev ops Auto dev ops is git labs really powerful way for you to go from having a project with some simple code But no cicd system to rapidly having all of the necessary steps that you need in your git lab pipelines And we want to make sure API fuzz testing is included in that where we can And if we look much further out in what we're calling our concept stage We're also thinking about how can we generate open api specification files automatically for you using the code and what's already inside of your repository The fuzz tester needs an open api specification file a postman collection or a hard file To know how to fuzz your application But because git lab has a lot of the code and far more context than many other tools do We think there are ways that we can actually generate and figure out these Files automatically and so that's one of the things that we're thinking about further on that concept stage And so again, this is our current roadmap as it stands now. This was last updated in february of 2021 We'd love to have your feedback. We'd love to have your input on it Please go to any of these epics or issues that you're interested in and we'd love to engage with you. Thank you so much Thanks for watching and be sure to subscribe