Automated Security Testing for JS Apps & Underlying APIs

What's up, JSNationLive. Scott Gerlach, co-founder and CSO of StackHawk here. Thanks for taking time to check out what StackHawk has to offer.

Real quick, StackHawk is a dynamic application security testing tool. You can use it to test your running HTTP applications. That's application and API security testing, REST APIs, GraphQL, server-side HTML, and single-page apps.

StackHawk was built for automation in CICD. Makes finding and fixing security vulnerabilities very, very simple.

A little bit of how it works. First of all, it scans your application, and by scans your application we mean it runs anywhere. You can run it on your local host while you're writing code, testing your application, back that up in CICD, test your application there before you push it to prod, and then, again, if you want to, you can run it in prod.

It's built to scan those modern applications, like I mentioned, server-side HTML, single-page apps, REST API, where you have an open API spec, and GraphQL, where you have GraphQL introspection queries turned on. All of those things help inform the scanner as to how to do a good job testing your application for security vulnerabilities.

Once the test is all done, it does a really good job of showing you where those problems are found and potentially how to fix them. Finding and fixing those security issues is super simple with the Stackhawk platform.

The Stackhawk platform presents you with the criticality of an issue, the issue type, the path, and the request-response pair that actually generated the issue. The other thing that's really awesome about the Stackhawk platform is there's a curl recreation of that finding. So there's a curl command that you can copy and paste and run the same attack that the scanner did against your application to be able to just put your application in debug mode, step through that code, and quickly find where you may have made a mistake.

All of that is set up for CICD and you can break your build. You can set up the Stackhawk scanner to exit non-zero if it finds an issue of a severity type, medium or higher, high or high or higher, low or higher, all of those things are totally configurable in the Stackhawk platform. It does not do that natively. You can configure that for your own work.

Stackhawk integrates with your engineering stack. As you can see, I've got icons from some of the major popular players in CICD. Stackhawk works with all of them. Because it's Docker based, if your CICD system can run Docker, it can run Stackhawk.

Let's jump into a quick demo to see how Stackhawk works. Here you can see I've got my vulnerable Django application. This is just a basic Django application, so server side HTML, and I'm testing it with my Stackhawk scanner. The way that looks is I've got a simple Docker command, docker run stackhawk hawkscan.

I've got the configuration file, which we're going to take a look at next. And what happens is the DAST scanner crawls your application, looking for interesting things to test, and then tests it. Once that's done, you get a simple summary of what's happening, what Stackhawk found. So here you can see I've got a cross-site scripting issue, a SQL injection issue, and some lower issues. We'll focus on those highs for today. At the very bottom of this, I've got a link back to the Stackhawk platform. This is exactly the same output you'd get in CICD, so if you chose to break build in CICD, you'd have a link to be able to go triage these issues.