Traditional security testing for JS apps has focused on the front-end, but actual security issues most often lie in the backing REST API. Join StackHawk co-founder Scott Gerlach for a quick overview of why you need to rethink how you test your JS apps and how StackHawk can help you find and fix security bugs fast.
This talk has been presented at JSNation 2022, check out the latest edition of this JavaScript Conference.
StackHawk is a dynamic application security testing tool designed to test running HTTP applications and API endpoints for security vulnerabilities to prevent them from becoming compromised.
StackHawk conducts active security tests against running applications to ensure safe handling of user input and output and implements OWASP top 10 best practices for application security. It can perform these tests in various environments including local host, CI/CD workflows, and pre-published applications.
StackHawk can run security tests on REST APIs, GraphQL APIs, SOAP APIs, server-side applications, and single-page applications.
StackHawk can be integrated into CI/CD workflows to run tests and provide feedback on scan findings. It supports breaking builds based on the severity of untriaged findings and works with most major CI tools.
StackHawk focuses on simplicity, helping developers quickly find and fix security issues. Its scanner is configured via YAML that accompanies the application code, and the platform provides clear descriptions, examples, and tools like curl commands for issue replication and debugging.
Yes, StackHawk can notify teams of scan results through various channels like Slack, Datadog, or via webhook messages, allowing teams to process and act on the data as needed.
Yes, StackHawk offers a free trial that allows users to test it on a single application. Additional details and sign-up options are available on their website at stackhawk.com.
StackHawk scans are designed to be fast, with most customer applications averaging around or under ten minutes per scan.
StackHawk is a dynamic application security testing tool that helps you find and fix security issues in your running HTTP applications and API endpoints. It runs active security tests on various types of applications, including REST API, GraphQL API, SOAP API, server-side applications, and single-page applications. StackHawk is designed for automation and CICD, making it an essential part of your testing strategy. It provides simple descriptions and examples of security issues, allowing you to quickly understand and fix them. Integration with CI processes and feedback on scan findings are also supported.
What's going on JS Nation? I'm Scott Gerlach, co-founder and chief security officer at StackHawk. I hope you're really enjoying JS Nation and making the most out of it.
Let's talk about StackHawk. Quickly, StackHawk is a dynamic application security testing tool. You can use it to test your running HTTP applications and API endpoints for security bugs, and keep them from becoming vulnerable. You can use StackHawk to run active security tests on your running REST API, GraphQL API, SOAP API, server-side application, and single-page applications. StackHawk was built for automation and CICD, to be part of your robust testing strategy for your application development lifecycle. It also makes finding, understanding, and fixing security bugs easy.
How does StackHawk work, you ask? Great question. StackHawk runs active security tests against your running applications, to ensure that your application is handling user input and output in a safe manner, as well as implementing OWASP top 10 best practices for application security. We can do this against your running application on your local host, in CICD workflows, and against applications that have yet to be published on the Internet. We also made dynamic testing fast. By placing the scanner as close to the application as possible and by using open standards to inform the scanner, OpenAPI spec, GraphQL, introspection queries, SOAP, WSDL, in addition to the scanner tuning we've made, most StackHawk customer applications scan average around or under ten minutes.
Finding and fixing security issues is simple with StackHawk. Our focus as a company is to help developers find and most importantly fix security issues. The StackHawk scanner and platform are built around this simplicity model. The scanner is configured via YAML that lives with the code for the application that you're testing. When StackHawk findings are triaged, the platform is trying to give you the simplest version of information needed to help you quickly understand what the problem is with simple descriptions and examples of patterns to help you identify the anti-pattern, be able to recreate the issue with tools like simple curl command to replay the attack, and get you into debug mode, stepping through code as fast as possible to help you fix issues and get back to your regular job of creating value for your customers. All of this is CICD enabled. Again, you can integrate this into your CI process and importantly get feedback into the CI process on scan findings. This information can be used to break a build if you choose. Based on severity of untriached findings, most of the major CI player logos are shown here on this slide, and even if your particular one isn't, chances are pretty good Stackhawk will work in your platform as long as it can run a docker container. You can run Docker, you can run Stackhawk. You can also see here, Stackhawk integrates with your workflow and information tools. We can notify you of your scan results in a Slack channel, publish that information to Datadog, or send you a simple webhook message that you can then use to process and do with the data what you choose.
Let's take a look at what running the Stackhawk scanner looks like. As you can see here, I've got a standard server side application. This one is a Pulse app that I want to test for security issues. So over here on my command line, I've got a simple Docker command that I ran. So Docker run Stackhawk.
I fed it the Stackhawk YAML. It did a standard crawl and actively attacked the application for potential security issues. We have a summary of the findings, including a new SQL ejection issue and a previously addressed cross-site scripting issue. There are other issues to look at as well. We can access the scan results through a link provided. The SQL injection issue is described along with the risks it poses and links to prevent it in different language frameworks. We can examine the specific issue, view the request and response, and even replay the attack using the scanner's validate button.
I fed it the Stackhawk YAML. We'll look at that in a second. As you can see, it did a standard crawl looking for all the interesting things on the web page that it could, and then it did an attack. So it actively attacked this application for potential security issues. When it was all done, we've got a summary of these findings.
So I've actually got a SQL ejection issue that I need to take care of. You can see that it's new. I also have a cross-site scripting issue that I've done something with before. I actually made a ticket out of this, so now it's in a signed status. We've got a bunch of other things that we can look at as well, but let's take a look at those too.
Down here at the bottom we actually have a link to this scan, so we can actually take this link and paste it into a browser. By the way, output in a CI-CD system would look very much like this, because this is the standard output. So if you did choose to break a build, you would have this same link in CI-CD output. So we can go over here to our web browser and jump right into the scan that we were looking at. We were just looking at this exact same scan. We've got this SQL injection issue that we can look at quickly.
You can see that we've got a SQL injection issue. We're quickly describing what SQL injection is, how to remediate it, what it's about, and what risks it might pose to an application. We also have links to different language frameworks that show you the pattern of how to prevent SQL injection in Spring, Laravel, Django, and Rails, so that you can help identify the anti-pattern that we're looking for. Let's take a look at this particular issue here. We can see that on the polls SQL path, we have a post method that has some kind of an issue. Over on our right-hand panel, we've got a request and response of what the scanner actually did and then came back with. We can see that the scanner made a request here against the application, and it responded in some form or fashion. We can actually see that the scanner made a case when injection here. We can replay this if we wanted to. This is all helping you understand what the scanner is trying to do and what issue it thinks it's found. Interestingly, we've got this really cool validate button up here. As I mentioned before, this validate button gives you a curl command of exactly what the scanner did to identify this particular issue. You can copy and replay this attack against an application. Let's take a look at that StackHawk YAML.
We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career
Node Congress 2022
JSNation 2023
JSNation 2023
React Advanced Conference 2021
React Summit US 2023
React Summit 2022
TestJS Summit 2023React Summit 2023TestJS Summit 2023JSNation 2024JSNation 2024JSNation 2022
Comments