Automated Application Security Testing

Rate this content
Bookmark

With StackHawk, engineering teams can run security tests against JS applications and the backing APIs to find and fix vulnerabilities faster. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder Scott Gerlach for a quick overview of JS application security testing with StackHawk.

This talk has been presented at TestJS Summit 2021, check out the latest edition of this JavaScript Conference.

FAQ

StackHawk is a dynamic application security testing tool designed to test running HTTP applications and API endpoints for security bugs, helping prevent vulnerabilities in these applications.

StackHawk runs active security tests against your applications to ensure safe handling of user input and output, and implements OWASP top 10 best practices for application security. It is designed for use in local, CI/CD workflows, and pre-published applications.

Yes, StackHawk can be integrated into CI processes and is designed to provide feedback on scan findings which can be used to break a build based on the severity of untriaged findings. It supports various major CI platforms.

StackHawk can test various types of applications including REST API, GraphQL API, SOAP API, server-side applications, and single-page applications.

Most StackHawk scans for customer applications average around or under 10 minutes, thanks to optimizations such as placing the scanner close to the application and using open standards for informing the scanner.

The StackHawk scanner is configured via a YAML file that includes details such as the application’s location, environment, and application ID. Additional configurations can be made for authentication, handling cookies, CSRF tokens, and specifying parts of the application to exclude from scanning.

StackHawk allows you to validate security issues using a curl command provided by the scanner, facilitating easy replication of the issue. Issues can be quickly triaged and pushed to tools like Jira for fixing in future development cycles.

Yes, StackHawk can notify you of scan results through various channels such as Slack, Datadog, or via a web hook, allowing for immediate processing of the data.

Scott Gerlach
Scott Gerlach
9 min
18 Nov, 2021

Comments

Sign in or register to post your comment.

Video Summary and Transcription

StackHawk is a dynamic application security testing tool that helps you find, understand, and fix security bugs in your running HTTP applications and API endpoints. It runs active security tests using OWASP top 10 best practices and can be integrated into CI/CD workflows. The scanner provides detailed scan results, including findings like SQL injection and cross-site scripting issues, and can be configured using YAML. StackHawk can be used to triage and prioritize security issues, and it can be seamlessly integrated into the development workflow.

1. Introduction to StackHawk

Short description:

StackHawk is a dynamic application security testing tool that helps you find, understand, and fix security bugs in your running HTTP applications and API endpoints. It was built for automation and CICD to be part of your robust testing strategy for your application development lifecycle.

What's up TestJS Summit? I'm Scott Gerlach, Chief Security Officer and Co-Founder here at StackHawk. Thanks for taking time to check out StackHawk and I hope you're having a great conference with TestJS Summit.

Quickly, StackHawk is a dynamic application security testing tool. You can use it to test your running HTTP applications and API endpoints for security bugs and keep them from becoming vulnerable. You can use StackHawk to run active security tests on your running REST API, GraphQL API, SOAP API, server side application and single page applications. StackHawk was built for automation and CICD to be part of your robust testing strategy for your application development lifecycle. It also makes finding, understanding and fixing security bugs easy.

2. How StackHawk Works

Short description:

StackHawk runs active security tests against your applications to ensure they handle user input and output safely. It implements OWASP top 10 best practices and can be used locally or in CI/CD workflows. The scanner is configured via YAML, providing simple descriptions and examples of security issues. Integration with CI platforms and information tools is seamless, and scan results can be sent to various channels or used for breaking builds. Running the StackHawk scanner involves using a Docker command, which performs a crawl and an attack to identify potential security issues. The results include a summary of findings, such as SQL injection and cross-site scripting issues.

How does StackHawk work you ask? Great question. StackHawk runs active security tests against your running applications to ensure that your application is handling user input and output in a safe manner as well as implementing OWASP top 10 best practices for application security. We can do this against your running application on your local host, in CI CD workflows and against applications that have yet to be published on the internet.

We also made dynamic testing fast by placing the scanner as close to the application as possible and by using open standards to inform the scanner, open API spec, GraphQL, introspection queries soap, WSDL, in addition to the scanner tuning we've made, most StackHawk customer applications scan average around or under 10 minutes.

Finding and fixing security issues is simple with StackHawk. Our focus as a company is to help developers find, and most importantly fix, security issues. The StackHawk scanner and platform are built around this simplicity model. The scanner is configured via YAML that lives with the code for the application that you're testing. When StackHawk findings are triaged, the platform is trying to give you the simplest version of the information needed to help you quickly understand what the problem is with simple descriptions and examples of patterns to help you identify the antipattern, be able to recreate the issue with tools like simple curl command to replay the attack and get you into debug mode, stepping through code as fast as possible to help you fix issues and get back to your regular job of creating value for your customers.

All of this is CI-CD enabled. Again, you can integrate this into your CI process and importantly get feedback into the CI process on scan findings. This information can be used to break a build if you choose, based on severity of untriaged findings. Most of the major CI player logos are shown here on this slide and even if your particular one isn't, chances are pretty good StackHawk will work in your platform as long as it can run a Docker container. If you can run Docker, you can run StackHawk. You can also see here StackHawk integrates with your workflow and information tools. We can notify you of your scan results in a slack channel, publish that information to Datadog or send you a simple web hook message that you can then use to process and do with the data what you choose.

Let's take a look at what running the StackHawk scanner looks like. As you can see here, I've got a standard server-side application. This one is a pulls app that I want to test for security issues. So over here on my command line, I've got a simple Docker command that I ran. So Docker run StackHawk, I fed it the StackHawk yaml, we'll look at that in a second. As you can see, it did a standard crawl, looking for all the interesting things on the web page that it could, and then it did an attack. So it actively attacked this application for potential security issues. When it was all done, we've got a summary of these findings. So I've actually got a SQL injection issue that I need to take care of. You can see that it's new. I also have a cross-site scripting issue that I've done something with before. I actually made a ticket out of this. So now it's in an assigned status. We've got a bunch of other things that we can look at as well, but let's take a look at those too.