GraphQL Security Testing Automation for Developers

Rate this content
Bookmark

NeuraLegion's developer friendly security scanner enables development teams to run dead accurate security tests on every build as part of their pipeline. False alerts and periodic infrequent scanning results in technical and security debt, as well as insecure product. But what is developer first DAST, when and how should you be integrating it into your pipelines and what should you be looking for when enhancing your GrapQL security testing automation? Join this talk to get up to date.

This talk has been presented at GraphQL Galaxy 2021, check out the latest edition of this Tech Conference.

FAQ

Neuraligions is a global team of security experts and researchers who have created a dynamic application security testing scanner designed specifically for developers. The scanner is used to test applications, APIs, and ensure security without false positives.

Neuraligions enables developers to build the scan surface from the first unit tests and run tests on every build or pull request. It seamlessly integrates into CI/CD pipelines, ensuring no false positives, making detecting and fixing security vulnerabilities quick and simple.

Neuraligions can scan web apps, internal apps, and APIs including REST, SOAP, and GraphQL. It supports microservices and single-page applications, and can target both local and production URLs.

Neuraligions automatically validates every finding with a full proof of concept, ensuring no manual validation is required. This reduces the occurrence of false positives, allowing developers to focus on real issues.

Neuraligions integrates with many common tools and provides an API for custom integrations. It supports CI/CD tools, and can open Jira tickets or send messages to Slack for seamless collaboration.

Yes, Neuraligions supports authenticated scans using various methods including formal authentication, header authentication, NTLM, OAuth, and custom multi-step authentication to maximize coverage.

Neuraligions covers a comprehensive list of testing categories including the OWASP Top 10, OWASP API Top 10, and Mitre 25, among others. It also tests for business logic vulnerabilities.

Developers can run scans via the CLI repeater installed via Docker Compose, NPM, or Win, and configure scans as code using global YAML configuration files integrated into their CI/CD.

Neuraligions offers a UI for manual scan configuration, the ability to run scans via CLI, comprehensive testing categories, automated validation with proof of concept, and developer-friendly remediation guidelines.

Neuraligions scans are designed to run quickly, typically in minutes or hours, not days, ensuring that they maintain the speed required for DevOps and CI/CD workflows.

Oliver Moradov
Oliver Moradov
9 min
09 Dec, 2021

Comments

Sign in or register to post your comment.

Video Summary and Transcription

Neuraligions is a dynamic application security testing scanner designed for developers to test apps, APIs, and ensure trusted security. It seamlessly integrates into pipelines, providing accurate results without false positives. The biggest issue with security scanners is accuracy, and Neuralegion addresses this by automatically validating findings and eliminating false positives. It also provides full visibility of recurring and new issues, along with developer-friendly remediation guidelines. Integrations with common tools and APIs make collaboration seamless and accurate.

1. Introduction to Neuraligions

Short description:

Neuraligions is a dynamic application security testing scanner designed for developers to test apps, APIs, and ensure trusted security. It seamlessly integrates into pipelines, providing accurate results without false positives. With Neuraligions, you can automate security testing for web apps, internal apps, and APIs, with support for REST, SOAP, and GraphQL. The scanner allows you to define the scope of the test, handle dynamic content, and leverage existing functional scripts. Scans are fast, covering various testing categories and business logic vulnerabilities. Authenticated scans are fully supported.

♪♪ I'm Oli, VP here at Neuraligions Developer Focused Security Testing Scanner. Thanks for joining as we discuss accurate security testing automation for developers and the CICD.

Now, a quick intro into Neuraligions. We're a global team of security experts and researchers creating the best dynamic application security testing scanner built to be loved by developers to test your apps, your APIs, but more importantly, to also be trusted by your security. You're releasing software faster than ever and security needs to keep up and this process needs to be owned by you developers.

We enable you to build the scan surface from the very first unit tests running tests on every build or every pull request. This is seamlessly integrated into your pipelines but more importantly, with no false positives. So you can trust the output to make detecting and fixing security vulnerabilities really, really quick and really, really simple. But let's take a look at what's under the hood. We have a nice UI for security folk to play around with and configure scans manually. But we're built for developers to own the security testing process as I mentioned.

Now if you sign up for our free account, you'll see this very, very nice UI but you'll also immediately notice that you can run scans via the CLI repeater installed via Docker Compose, NPM, Win and can actually configure your scans as code with a global YAML configuration based files integrated into your CI CD. For more info, you can obviously go and see our docs for a full command list. So you can actually stay in your terminal to manage these scans.

So how can you start automating your security testing today? Well, in terms of coverage, we've got you. With Neural Legion, you can start scanning every build for security vulnerabilities as part of your CI. Whether that's against your web apps, your internal apps, or indeed against your APIs, whether that's REST, SOAP, or indeed, GraphQL. Microservices and single page applications are fully supported. Whether pointing our scanner to a local or indeed a production URL, whether we are ingesting your API schemas or indeed Postman collections, or whether you're uploading your HTTP archive files, your heart files into our engine.

This also means that you can really define the scope of the security test, perhaps against a single entry point or a single end point, or against a specific new feature that you just made. These discovery methods can be run separately or indeed concurrently, meaning you can handle client-side dynamic content, JavaScript, and more. Are you using Selenium or indeed Cypress, for example? Well, you can start leveraging those existing functional scripts and get scanning with these heart files. This means that your developers and QA can now start working together, treating security bugs like your functional ones without the need to be a cybersecurity expert. Either way, scans are fast, running in minutes or hours, not days, maintaining your DevOps speed. The more you can find and fix, though, the better.

We have a comprehensive list of testing categories covering the OS top 10, the OS API top 10, Mitre 25, and indeed more. Additionally, our engine understands the context, understands the responses that we're getting back from the application server. And we can actually use this to test for business logic vulnerabilities, not just your trivial injections, but how can our engine bypass the logic or the validation mechanisms in your applications and APIs, removing even more manual security testing and truly putting security testing into the hands of developers. Authenticated scans are fully supported to maximize coverage, whether using formal authentication or header authentication, NTLM, OAuth, or indeed custom, multi-step authentication amongst others. We've got you covered in that respect.

2. Benefits of Neuralegion Scanner

Short description:

The biggest issue with security scanners is accuracy. Developers want real issues, not false positives. Neuralegion automatically validates findings, eliminating false positives. It provides full visibility of recurring and new issues, along with developer-friendly remediation guidelines. Integrations with common tools and APIs make collaboration seamless and accurate.

But I think the biggest issue with security scanners though is accuracy, right? Hands up if you love false alerts. No, I didn't think so. How much time do you spend validating issues or fixing issues from six months or a year ago? DevOps and CICD equals automation, correct? How can you do that without accuracy?

Developers want to know real issues, not hyperbole. People always talk about reducing false positives. Well, here at New Religion, we like to talk about removing false positives altogether for you automatically. Whether you're in a startup or a small organization, probably without a dedicated security team, or you might be a large enterprise organization where developers outweigh security by 50 or indeed 100 to one. Either way, you're developing and releasing at breakneck speed with multiple builds a day, but also introducing security issues into production at the same speeds too.

The last thing you wanna do is start introducing a bunch of false positives to your workload that needs validation, let alone not being able to actually validate your risk. Results just get ignored and pretty much the tool will be disabled. False positives in this manual validation of results is crippling your rapid release cycles and adds to your technical debt. Neuralegion scanner automatically validates every finding with a full proof of concept with no manual validation required. Your bills aren't gonna be failing for no reason and your JIRA ticket not swelling at the seams with false positives.

This example on the right has an automatically generated screenshot of this reflective cross site scripting security issue which causes this pop-up executable created perhaps by a malicious user. We automatically look for this reflection as part of our validation process and present it to you. Confirming the issue and making sure you're not chasing your tail. But now you know what's being reported as real, how do you fix the issues? Well, we give you full visibility of what's happening. Understand where your recurring issues are or new issues are being detected. Again, fully validated automatically by the engine so you don't have to do it. Developer friendly remediation guidelines are provided with additional resources to help you understand the issues and more importantly, how to fix them. All requests, responses, headers are provided and all issues can be copied as a curl for debugging with a cool retest feature to execute the same attack or the same payload, making remediation quicker and easier for you the developer. Assigning engineering teams or assets to specific projects allows you to segregate scanning and get global visibility, whether that's of your scans or indeed of your risk posture, which means teams are creating the same issues then training can be provided. Look at it as secure training on the go. And all of this seamlessly integrated into your pipelines.

With CICD and DevOps, we talk about shifting left. DAST has traditionally been carried out in stages four and five, run by security professionals. Tools have been built for security professionals. You can start shifting left, putting DAST into the hands of developers with Neuralegion. Scan every commit or pull request, get immediate feedback of the issues, no false positives to start fixing now. We have integrations with all your common tools or better still use our API and integrate. Jira tickets can be opened, messages sent to relevant colleagues in Slack. Collaboration is seamless, easy and accurate. So what are you waiting for? Sign up for a free account and you can be up and scanning in minutes. Connect with us, see our docs for more info. Either way, enjoy the conference and happy accurate security scanning.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

From GraphQL Zero to GraphQL Hero with RedwoodJS
GraphQL Galaxy 2021GraphQL Galaxy 2021
32 min
From GraphQL Zero to GraphQL Hero with RedwoodJS
Top Content
Tom Pressenwurter introduces Redwood.js, a full stack app framework for building GraphQL APIs easily and maintainably. He demonstrates a Redwood.js application with a React-based front end and a Node.js API. Redwood.js offers a simplified folder structure and schema for organizing the application. It provides easy data manipulation and CRUD operations through GraphQL functions. Redwood.js allows for easy implementation of new queries and directives, including authentication and limiting access to data. It is a stable and production-ready framework that integrates well with other front-end technologies.
Local State and Server Cache: Finding a Balance
Vue.js London Live 2021Vue.js London Live 2021
24 min
Local State and Server Cache: Finding a Balance
Top Content
This Talk discusses handling local state in software development, particularly when dealing with asynchronous behavior and API requests. It explores the challenges of managing global state and the need for actions when handling server data. The Talk also highlights the issue of fetching data not in Vuex and the challenges of keeping data up-to-date in Vuex. It mentions alternative tools like Apollo Client and React Query for handling local state. The Talk concludes with a discussion on GitLab going public and the celebration that followed.
Batteries Included Reimagined - The Revival of GraphQL Yoga
GraphQL Galaxy 2021GraphQL Galaxy 2021
33 min
Batteries Included Reimagined - The Revival of GraphQL Yoga
Envelope is a powerful GraphQL plugin system that simplifies server development and allows for powerful plugin integration. It provides conformity for large corporations with multiple GraphQL servers and can be used with various frameworks. Envelope acts as the Babel of GraphQL, allowing the use of non-spec features. The Guild offers GraphQL Hive, a service similar to Apollo Studio, and encourages collaboration with other frameworks and languages.
Rock Solid React and GraphQL Apps for People in a Hurry
GraphQL Galaxy 2022GraphQL Galaxy 2022
29 min
Rock Solid React and GraphQL Apps for People in a Hurry
The Talk discusses the challenges and advancements in using GraphQL and React together. It introduces RedwoodJS, a framework that simplifies frontend-backend integration and provides features like code generation, scaffolding, and authentication. The Talk demonstrates how to set up a Redwood project, generate layouts and models, and perform CRUD operations. Redwood automates many GraphQL parts and provides an easy way for developers to get started with GraphQL. It also highlights the benefits of Redwood and suggests checking out RedwoodJS.com for more information.
Adopting GraphQL in an Enterprise
GraphQL Galaxy 2021GraphQL Galaxy 2021
32 min
Adopting GraphQL in an Enterprise
Today's Talk is about adopting GraphQL in an enterprise. It discusses the challenges of using REST APIs and the benefits of GraphQL. The Talk explores different approaches to adopting GraphQL, including coexistence with REST APIs. It emphasizes the power of GraphQL and provides tips for successful adoption. Overall, the Talk highlights the advantages of GraphQL in terms of efficiency, collaboration, and control over APIs.
Step aside resolvers: a new approach to GraphQL execution
GraphQL Galaxy 2022GraphQL Galaxy 2022
16 min
Step aside resolvers: a new approach to GraphQL execution
GraphQL has made a huge impact in the way we build client applications, websites, and mobile apps. Despite the dominance of resolvers, the GraphQL specification does not mandate their use. Introducing Graphast, a new project that compiles GraphQL operations into execution and output plans, providing advanced optimizations. In GraphFast, instead of resolvers, we have plan resolvers that deal with future data. Graphfast plan resolvers are short and efficient, supporting all features of modern GraphQL.

Workshops on related topic

Build with SvelteKit and GraphQL
GraphQL Galaxy 2021GraphQL Galaxy 2021
140 min
Build with SvelteKit and GraphQL
Top Content
Featured WorkshopFree
Scott Spence
Scott Spence
Have you ever thought about building something that doesn't require a lot of boilerplate with a tiny bundle size? In this workshop, Scott Spence will go from hello world to covering routing and using endpoints in SvelteKit. You'll set up a backend GraphQL API then use GraphQL queries with SvelteKit to display the GraphQL API data. You'll build a fast secure project that uses SvelteKit's features, then deploy it as a fully static site. This course is for the Svelte curious who haven't had extensive experience with SvelteKit and want a deeper understanding of how to use it in practical applications.

Table of contents:
- Kick-off and Svelte introduction
- Initialise frontend project
- Tour of the SvelteKit skeleton project
- Configure backend project
- Query Data with GraphQL
- Fetching data to the frontend with GraphQL
- Styling
- Svelte directives
- Routing in SvelteKit
- Endpoints in SvelteKit
- Deploying to Netlify
- Navigation
- Mutations in GraphCMS
- Sending GraphQL Mutations via SvelteKit
- Q&A
Build Modern Applications Using GraphQL and Javascript
Node Congress 2024Node Congress 2024
152 min
Build Modern Applications Using GraphQL and Javascript
Featured Workshop
Emanuel Scirlet
Miguel Henriques
2 authors
Come and learn how you can supercharge your modern and secure applications using GraphQL and Javascript. In this workshop we will build a GraphQL API and we will demonstrate the benefits of the query language for APIs and what use cases that are fit for it. Basic Javascript knowledge required.
End-To-End Type Safety with React, GraphQL & Prisma
React Advanced Conference 2022React Advanced Conference 2022
95 min
End-To-End Type Safety with React, GraphQL & Prisma
Featured WorkshopFree
Sabin Adams
Sabin Adams
In this workshop, you will get a first-hand look at what end-to-end type safety is and why it is important. To accomplish this, you’ll be building a GraphQL API using modern, relevant tools which will be consumed by a React client.
Prerequisites: - Node.js installed on your machine (12.2.X / 14.X)- It is recommended (but not required) to use VS Code for the practical tasks- An IDE installed (VSCode recommended)- (Good to have)*A basic understanding of Node.js, React, and TypeScript
GraphQL for React Developers
GraphQL Galaxy 2022GraphQL Galaxy 2022
112 min
GraphQL for React Developers
Featured Workshop
Roy Derks
Roy Derks
There are many advantages to using GraphQL as a datasource for frontend development, compared to REST APIs. We developers in example need to write a lot of imperative code to retrieve data to display in our applications and handle state. With GraphQL you cannot only decrease the amount of code needed around data fetching and state-management you'll also get increased flexibility, better performance and most of all an improved developer experience. In this workshop you'll learn how GraphQL can improve your work as a frontend developer and how to handle GraphQL in your frontend React application.
Build a Headless WordPress App with Next.js and WPGraphQL
React Summit 2022React Summit 2022
173 min
Build a Headless WordPress App with Next.js and WPGraphQL
Top Content
WorkshopFree
Kellen Mace
Kellen Mace
In this workshop, you’ll learn how to build a Next.js app that uses Apollo Client to fetch data from a headless WordPress backend and use it to render the pages of your app. You’ll learn when you should consider a headless WordPress architecture, how to turn a WordPress backend into a GraphQL server, how to compose queries using the GraphiQL IDE, how to colocate GraphQL fragments with your components, and more.
API Testing with Postman Workshop
TestJS Summit 2023TestJS Summit 2023
48 min
API Testing with Postman Workshop
Top Content
WorkshopFree
Pooja Mistry
Pooja Mistry
In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman.
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.