GraphQL Security Testing Automation for Developers

♪♪ I'm Oli, VP here at Neuraligions Developer Focused Security Testing Scanner. Thanks for joining as we discuss accurate security testing automation for developers and the CICD.

Now, a quick intro into Neuraligions. We're a global team of security experts and researchers creating the best dynamic application security testing scanner built to be loved by developers to test your apps, your APIs, but more importantly, to also be trusted by your security. You're releasing software faster than ever and security needs to keep up and this process needs to be owned by you developers.

We enable you to build the scan surface from the very first unit tests running tests on every build or every pull request. This is seamlessly integrated into your pipelines but more importantly, with no false positives. So you can trust the output to make detecting and fixing security vulnerabilities really, really quick and really, really simple. But let's take a look at what's under the hood. We have a nice UI for security folk to play around with and configure scans manually. But we're built for developers to own the security testing process as I mentioned.

Now if you sign up for our free account, you'll see this very, very nice UI but you'll also immediately notice that you can run scans via the CLI repeater installed via Docker Compose, NPM, Win and can actually configure your scans as code with a global YAML configuration based files integrated into your CI CD. For more info, you can obviously go and see our docs for a full command list. So you can actually stay in your terminal to manage these scans.

So how can you start automating your security testing today? Well, in terms of coverage, we've got you. With Neural Legion, you can start scanning every build for security vulnerabilities as part of your CI. Whether that's against your web apps, your internal apps, or indeed against your APIs, whether that's REST, SOAP, or indeed, GraphQL. Microservices and single page applications are fully supported. Whether pointing our scanner to a local or indeed a production URL, whether we are ingesting your API schemas or indeed Postman collections, or whether you're uploading your HTTP archive files, your heart files into our engine.

This also means that you can really define the scope of the security test, perhaps against a single entry point or a single end point, or against a specific new feature that you just made. These discovery methods can be run separately or indeed concurrently, meaning you can handle client-side dynamic content, JavaScript, and more. Are you using Selenium or indeed Cypress, for example? Well, you can start leveraging those existing functional scripts and get scanning with these heart files. This means that your developers and QA can now start working together, treating security bugs like your functional ones without the need to be a cybersecurity expert. Either way, scans are fast, running in minutes or hours, not days, maintaining your DevOps speed. The more you can find and fix, though, the better.

We have a comprehensive list of testing categories covering the OS top 10, the OS API top 10, Mitre 25, and indeed more. Additionally, our engine understands the context, understands the responses that we're getting back from the application server. And we can actually use this to test for business logic vulnerabilities, not just your trivial injections, but how can our engine bypass the logic or the validation mechanisms in your applications and APIs, removing even more manual security testing and truly putting security testing into the hands of developers. Authenticated scans are fully supported to maximize coverage, whether using formal authentication or header authentication, NTLM, OAuth, or indeed custom, multi-step authentication amongst others. We've got you covered in that respect.

But I think the biggest issue with security scanners though is accuracy, right? Hands up if you love false alerts. No, I didn't think so. How much time do you spend validating issues or fixing issues from six months or a year ago? DevOps and CICD equals automation, correct? How can you do that without accuracy?

Developers want to know real issues, not hyperbole. People always talk about reducing false positives. Well, here at New Religion, we like to talk about removing false positives altogether for you automatically. Whether you're in a startup or a small organization, probably without a dedicated security team, or you might be a large enterprise organization where developers outweigh security by 50 or indeed 100 to one. Either way, you're developing and releasing at breakneck speed with multiple builds a day, but also introducing security issues into production at the same speeds too.

The last thing you wanna do is start introducing a bunch of false positives to your workload that needs validation, let alone not being able to actually validate your risk. Results just get ignored and pretty much the tool will be disabled. False positives in this manual validation of results is crippling your rapid release cycles and adds to your technical debt. Neuralegion scanner automatically validates every finding with a full proof of concept with no manual validation required. Your bills aren't gonna be failing for no reason and your JIRA ticket not swelling at the seams with false positives.

This example on the right has an automatically generated screenshot of this reflective cross site scripting security issue which causes this pop-up executable created perhaps by a malicious user. We automatically look for this reflection as part of our validation process and present it to you. Confirming the issue and making sure you're not chasing your tail. But now you know what's being reported as real, how do you fix the issues? Well, we give you full visibility of what's happening. Understand where your recurring issues are or new issues are being detected. Again, fully validated automatically by the engine so you don't have to do it. Developer friendly remediation guidelines are provided with additional resources to help you understand the issues and more importantly, how to fix them. All requests, responses, headers are provided and all issues can be copied as a curl for debugging with a cool retest feature to execute the same attack or the same payload, making remediation quicker and easier for you the developer. Assigning engineering teams or assets to specific projects allows you to segregate scanning and get global visibility, whether that's of your scans or indeed of your risk posture, which means teams are creating the same issues then training can be provided. Look at it as secure training on the go. And all of this seamlessly integrated into your pipelines.

With CICD and DevOps, we talk about shifting left. DAST has traditionally been carried out in stages four and five, run by security professionals. Tools have been built for security professionals. You can start shifting left, putting DAST into the hands of developers with Neuralegion. Scan every commit or pull request, get immediate feedback of the issues, no false positives to start fixing now. We have integrations with all your common tools or better still use our API and integrate. Jira tickets can be opened, messages sent to relevant colleagues in Slack. Collaboration is seamless, easy and accurate. So what are you waiting for? Sign up for a free account and you can be up and scanning in minutes. Connect with us, see our docs for more info. Either way, enjoy the conference and happy accurate security scanning.