What's going on JS Nation? I'm Scott Gerlach, co-founder and chief security officer at StackHawk. I hope you're really enjoying JS Nation and making the most out of it.
Let's talk about StackHawk. Quickly, StackHawk is a dynamic application security testing tool. You can use it to test your running HTTP applications and API endpoints for security bugs, and keep them from becoming vulnerable. You can use StackHawk to run active security tests on your running REST API, GraphQL API, SOAP API, server-side application, and single-page applications. StackHawk was built for automation and CICD, to be part of your robust testing strategy for your application development lifecycle. It also makes finding, understanding, and fixing security bugs easy.
How does StackHawk work, you ask? Great question. StackHawk runs active security tests against your running applications, to ensure that your application is handling user input and output in a safe manner, as well as implementing OWASP top 10 best practices for application security. We can do this against your running application on your local host, in CICD workflows, and against applications that have yet to be published on the Internet. We also made dynamic testing fast. By placing the scanner as close to the application as possible and by using open standards to inform the scanner, OpenAPI spec, GraphQL, introspection queries, SOAP, WSDL, in addition to the scanner tuning we've made, most StackHawk customer applications scan average around or under ten minutes.
Finding and fixing security issues is simple with StackHawk. Our focus as a company is to help developers find and most importantly fix security issues. The StackHawk scanner and platform are built around this simplicity model. The scanner is configured via YAML that lives with the code for the application that you're testing. When StackHawk findings are triaged, the platform is trying to give you the simplest version of information needed to help you quickly understand what the problem is with simple descriptions and examples of patterns to help you identify the anti-pattern, be able to recreate the issue with tools like simple curl command to replay the attack, and get you into debug mode, stepping through code as fast as possible to help you fix issues and get back to your regular job of creating value for your customers. All of this is CICD enabled. Again, you can integrate this into your CI process and importantly get feedback into the CI process on scan findings. This information can be used to break a build if you choose. Based on severity of untriached findings, most of the major CI player logos are shown here on this slide, and even if your particular one isn't, chances are pretty good Stackhawk will work in your platform as long as it can run a docker container. You can run Docker, you can run Stackhawk. You can also see here, Stackhawk integrates with your workflow and information tools. We can notify you of your scan results in a Slack channel, publish that information to Datadog, or send you a simple webhook message that you can then use to process and do with the data what you choose.
Let's take a look at what running the Stackhawk scanner looks like. As you can see here, I've got a standard server side application. This one is a Pulse app that I want to test for security issues. So over here on my command line, I've got a simple Docker command that I ran. So Docker run Stackhawk.
Comments