GraphQL Security Testing Technical Workshop

Rate this content
Bookmark

We’ve all heard the buzz around pushing application security into the hands of developers, but if you’re like most companies, it has been hard to actually make this a reality. You aren’t alone – putting the culture, processes, and tooling in place to make this happen is tough – especially for sophisticated applications like those backed GraphQL. In this hands-on technical session, StackHawk Senior DevOps Engineer, Zachary Conger, will walk through how to protect your GraphQL APIs from vulnerabilities using automated security testing. Get ready to roll-up your sleeves for automated AppSec testing.

This workshop has been presented at GraphQL Galaxy 2021, check out the latest edition of this Tech Conference.

FAQ

Zachary Conger is a senior DevOps engineer at StackHawk, whose main role involves managing the company's dynamic application security testing product, known as a DAST scanner.

Participants need a GitHub account to fork a repository for the test application and set up GitHub Actions workflows to automate the build and security testing of the application. This setup is crucial for integrating security tests and automating code checks directly within GitHub.

Dependabot tests the application for known vulnerabilities in dependencies. It automatically checks the dependencies specified in the project against a catalog of known vulnerabilities and suggests updates or fixes through pull requests to maintain security.

The workshop mentions several tools including Dependabot for dependency scanning, CodeQL for scanning the application's codebase for vulnerabilities, and StackHawk for dynamic application security testing of the running application.

Discord is used during the workshop for interactive communication, including conducting polls and checkpoints to ensure participants are keeping up with the workshop progress. It helps in coordinating the workshop flow and enhancing participant engagement.

GitHub Actions is utilized to automate the build process of a test application in a CI/CD pipeline. It allows for the addition of security tests to the workflow, ensuring that every code push is automatically tested for vulnerabilities.

StackHawk is recommended for use in non-production environments like development or staging because it actively tests and probes services for vulnerabilities, which could potentially modify or impact data if used in a production environment.

Participants can indicate whether they have caught up at various checkpoints in the workshop by giving a thumbs up or thumbs down in Discord, based on their progress. This helps the instructors ensure everyone is on track and can proceed with the next section.

Zachary Conger
Zachary Conger
104 min
06 Dec, 2021

Comments

Sign in or register to post your comment.
Video Summary and Transcription
Today's workshop covers Automated GraphQL Security Testing using tools like Dependabot, CodeQL, and StackHawk. It explores security tests such as software composition analysis and static application security testing. The workshop demonstrates setting up GitHub Actions workflows, enabling Dependabot for dependency security, and configuring CodeQL analysis. It also highlights the use of StackHawk for automated penetration testing and optimizing the scanning process. The workshop emphasizes the importance of continuous testing and security measures in software development.

1. Introduction to Automated GraphQL Security Testing

Short description:

Today's workshop is about Automated GraphQL Security Testing. We will cover various security tests, including software composition analysis (SCA) and static application security testing (SAS). We'll use tools like Dependabot and CodeQL to scan for vulnerabilities in your dependencies and code base. These tests will be automated in the CI/CD pipeline. Let's get started by forking a GraphQL application repository and adding security tests to it.

The following videos are extracts of this series. Today, the title is Automated GraphQL Security Testing. And my name is Zachary Conger. I'm a senior DevOps engineer at StackHawk, and I work as a company manager for StackHawk. And my main role is to help you have a DAST product, a dynamic application security test scanner. I'm a DevOps early adopter. I've been doing software development, automation, testing, observability, that kind of stuff for many years now, far too many years. And in my spare time, I like to play music, ride my bike and take amateur photographs.

I'm really, really super helpful with any technical issues that will come up. But hopefully there won't be too many, because again, we're gonna be operating completely out of a web browser, which is pretty much all you need today. One last time, you should go get the workshop guidebook, there's a link in Discord and in the Zoom chat. We're gonna be using Discord, so get on Discord if you're not there already. We'll be using it for polls and checkpoints, so as we get to certain points in the workshop, we'll stop and say, hey, has everybody caught up? And you give us a thumbs up if you are and thumbs down if you are not. Really helps with the flow and making sure that everybody can get the most out of the workshop. And finally, if you don't have a GitHub account, go to github.com and sign up.

Here's the agenda for today. We are going to take a GraphQL application. It's a simple test GraphQL application that really doesn't do very much other than provide a graphical interface. It's like a little blog engine, simple blog engine. It's got some vulnerabilities in it. What we're gonna do is all of us are gonna fork that repository to our own GitHub account, then we're gonna add GitHub Actions workflow to automate the build of that application in GitHub Actions. Then we're gonna start adding security tests to that workflow so that every time you push code to the GitHub repo, you're gonna run some more tests against it. So the first test, actually, some of these are workflow-based and others are more automatic than that, they just happen in the background. So Dependabot is the first test that we'll add, which will test your application for known vulnerabilities and any dependencies that you pull in. The next one will be CodeQL, which will scan the app's code base, actually, it parks through all of the code and looks for patterns that indicate vulnerabilities. And then, finally, we're gonna add Stackhawk, which will dynamically scan the running application for vulnerabilities. And this all happens in the CICD pipeline, so it's automatic on every push.

Okay, so I mentioned these forms of testing and let me go through them in a little bit more detail. This workshop is supposed to be kind of general, but we are using some specific tools. Of course, Stackhawk is one of them and I'm from Stackhawk. We think it's the best DAST tool out there, but there are other options and the point of this workshop is to make you aware of all of them, or many of them. So the first kind of test that we're gonna do is called SCA or software composition analysis. And in this form of testing, it operates on static code and it goes through your dependencies. It looks at your, in this case, we're gonna look at the package.json file and the package lock.json file, and we're gonna look, it's gonna build out the dependency chain and check those all against the catalog of open source libraries and dependencies and report on any known vulnerabilities in any of those library versions. And if it finds any, it's gonna give you a plan of action to fix that. So SCA has become sort of a table stakes standard thing that you should do in all of your repositories. There are no false positives in a sense because all of the vulnerabilities that it finds are known vulnerabilities and it's really fast and it's really easy and it's generally free. Most of the outfits out there that offer SCA offer a free plan or a pretty cheap plan. So we're gonna use Dependabot today, but there's other really great options out there. Sneak is one of the best, actually. I may actually, we may actually pull Sneak in as the SCA option that we do in the future. Dependabot's really nice too. And then there's another version out there, an open source version called FASA, they also have a commercial backed option. The next kind of testing that we're gonna add to our application is called SAS or Static Application Security Testing. An examples of this are CodeQL, which we're gonna be using today. There's also SonarQube and CheckMarks and a number of other good options. If you just search Google for SAS, you'll find lots of options out there. This kind of testing also operates on static code, but it's not looking at your dependencies at all. It's actually looking through your code base and it's looking for patterns that would indicate that you might have a vulnerability. Perhaps you're not doing any sanitization of inputs, for instance, it would generally find that kind of problem and report it back to you.

2. DAST and GitHub Actions

Short description:

DAST is a dynamic application security testing method that scans running code for vulnerabilities. It sends requests to the application, analyzes the responses, and reports suspected vulnerabilities. Unlike SAST, DAST has lower false positives and finds more useful issues. However, it can be slow, depending on the size and responsiveness of the application. We'll also explore GitHub Actions, a CI/CD pipeline integrated into GitHub, with a marketplace of actions that simplify complex steps. We'll use GitHub Actions to fork a test application and create a workflow with multiple steps. Each step can run shell commands or use actions from the marketplace, and secrets management is built-in.

It's really neat because as it finds your bugs, it can actually pinpoint them by file and by line. So it can let you know exactly where the problem is. It does tend to have kind of high false positives. And I found in my experience that it doesn't find much that's useful in comparison to other tools. But that's improving every day as these tools improve.

It's also kind of slow, cause it needs to compile your code and search through it and query against it. The larger your code base, the slower it gets.

Finally, we're going to be looking at DAST, dynamic application security testing. And there's several examples of this kind of scanner. Ours is called Stackhawk. That's what we'll be using today. Others include OASP Zap, which is an open-source project that Stackhawk is actually based on, we've built on top of OASP Zap. There's also Burp Suite, which is one that probably a lot of people know as a very common pen testing tool. And they've been working on making it easier to automate as well.

So dynamic application security testing is a form of scanning that operates on your running code. So typically this is a web-based application, maybe a REST interface in our case today. It's a GraphQL interface. And it just runs, it runs, it probes that service for vulnerabilities. It sends in requests, it looks at the responses and based on the responses that it gets, it tries to determine if there's some form of vulnerability. It reports on those suspected vulnerabilities. And instead of giving you line-by-line details, it gives you the input and output that caused the scanner to think that there is a problem with your code. Like SAST, it finds your bugs, but unlike SAST it tends to have lower false positives and it finds more really useful stuff. And in fact, because it's scanning a running application you can have some confidence that things that it finds are really things that are exposed in your application and exploitable in the wild. As long as what you're testing really represents what you're going to be running out in production. It can be a bit slow. That's one of the downsides of DAS. But that's kind of a function of how big your application is, how responsive it is, how close the scanner is to the running application. And even if it's fairly slow, there's usually ways that you can break it down and parallelize the scan to make it faster.

Okay, so that's what we're gonna be looking at today. And I think from there, we're gonna jump into starting out by, yeah, we're gonna look at GitHub Actions. So the first step in our plan is we're gonna fork a test application called phone GraphQL API. And we're gonna create a GitHub Actions workflow for it to build it basically in a CI CD pipeline built into GitHub.

So GitHub Actions is a CI CD pipeline built into GitHub, has a simple YAML configuration language and a huge marketplace of actions, which are like plugins. And this is kind of the genius of GitHub Actions in my opinion, that they created a really easy way for authors to create actions to make otherwise complex steps really easy through these little actions that you can add. So we'll use a couple of those actions. We're gonna use a stack hoc action, a code QL action, and so forth. But it's a really neat system. It's event driven, generally based on pushes, PRs, but you can have arbitrary web hooks as well, kickoff events. And for each workflow that you create, they call them workflows. Within a workflow, a single workflow will fire up a single runner. And by default, that happens in the GitHub cloud. They actually have VMs that will pop up for you in their own cloud. And then within a workflow, which instantiates a runner, you can have multiple jobs, which can run in parallel or can trigger one another, they can be ordered. And within each job, you've got a number of steps that run in sequence. So we're just gonna do a single workflow, single job, and a couple of steps in our workflow. So simple example. And then each step can be either to run a shell command, you can have Windows based runners, and you can have Linux based runners. So you can either run a simple shell command or run an action from the GitHub Actions marketplace. And we'll do a little bit of both. There's a built in secrets management solution in GitHub Actions, which is gonna come in handy because we're gonna use that to stash a secret API key.

QnA

Watch more workshops on topic

Build with SvelteKit and GraphQL
GraphQL Galaxy 2021GraphQL Galaxy 2021
140 min
Build with SvelteKit and GraphQL
Top Content
Featured WorkshopFree
Scott Spence
Scott Spence
Have you ever thought about building something that doesn't require a lot of boilerplate with a tiny bundle size? In this workshop, Scott Spence will go from hello world to covering routing and using endpoints in SvelteKit. You'll set up a backend GraphQL API then use GraphQL queries with SvelteKit to display the GraphQL API data. You'll build a fast secure project that uses SvelteKit's features, then deploy it as a fully static site. This course is for the Svelte curious who haven't had extensive experience with SvelteKit and want a deeper understanding of how to use it in practical applications.

Table of contents:
- Kick-off and Svelte introduction
- Initialise frontend project
- Tour of the SvelteKit skeleton project
- Configure backend project
- Query Data with GraphQL
- Fetching data to the frontend with GraphQL
- Styling
- Svelte directives
- Routing in SvelteKit
- Endpoints in SvelteKit
- Deploying to Netlify
- Navigation
- Mutations in GraphCMS
- Sending GraphQL Mutations via SvelteKit
- Q&A
Build Modern Applications Using GraphQL and Javascript
Node Congress 2024Node Congress 2024
152 min
Build Modern Applications Using GraphQL and Javascript
Featured Workshop
Emanuel Scirlet
Miguel Henriques
2 authors
Come and learn how you can supercharge your modern and secure applications using GraphQL and Javascript. In this workshop we will build a GraphQL API and we will demonstrate the benefits of the query language for APIs and what use cases that are fit for it. Basic Javascript knowledge required.
End-To-End Type Safety with React, GraphQL & Prisma
React Advanced 2022React Advanced 2022
95 min
End-To-End Type Safety with React, GraphQL & Prisma
Featured WorkshopFree
Sabin Adams
Sabin Adams
In this workshop, you will get a first-hand look at what end-to-end type safety is and why it is important. To accomplish this, you’ll be building a GraphQL API using modern, relevant tools which will be consumed by a React client.
Prerequisites: - Node.js installed on your machine (12.2.X / 14.X)- It is recommended (but not required) to use VS Code for the practical tasks- An IDE installed (VSCode recommended)- (Good to have)*A basic understanding of Node.js, React, and TypeScript
Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
JSNation US 2024JSNation US 2024
148 min
Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
Featured Workshop
Gregor Biswanger
Gregor Biswanger
In this hands-on workshop, you will be equipped with the tools to effectively test the security of web applications. This course is designed for beginners as well as those already familiar with web application security testing who wish to expand their knowledge. In a world where websites play an increasingly central role, ensuring the security of these technologies is crucial. Understanding the attacker's perspective and knowing the appropriate defense mechanisms have become essential skills for IT professionals.This workshop, led by the renowned trainer Gregor Biswanger, will guide you through the use of industry-standard pentesting tools such as Burp Suite, OWASP ZAP, and the professional pentesting framework Metasploit. You will learn how to identify and exploit common vulnerabilities in web applications. Through practical exercises and challenges, you will be able to put your theoretical knowledge into practice and expand it. In this course, you will acquire the fundamental skills necessary to protect your websites from attacks and enhance the security of your systems.
GraphQL for React Developers
GraphQL Galaxy 2022GraphQL Galaxy 2022
112 min
GraphQL for React Developers
Featured Workshop
Roy Derks
Roy Derks
There are many advantages to using GraphQL as a datasource for frontend development, compared to REST APIs. We developers in example need to write a lot of imperative code to retrieve data to display in our applications and handle state. With GraphQL you cannot only decrease the amount of code needed around data fetching and state-management you'll also get increased flexibility, better performance and most of all an improved developer experience. In this workshop you'll learn how GraphQL can improve your work as a frontend developer and how to handle GraphQL in your frontend React application.
Build a Headless WordPress App with Next.js and WPGraphQL
React Summit 2022React Summit 2022
173 min
Build a Headless WordPress App with Next.js and WPGraphQL
Top Content
WorkshopFree
Kellen Mace
Kellen Mace
In this workshop, you’ll learn how to build a Next.js app that uses Apollo Client to fetch data from a headless WordPress backend and use it to render the pages of your app. You’ll learn when you should consider a headless WordPress architecture, how to turn a WordPress backend into a GraphQL server, how to compose queries using the GraphiQL IDE, how to colocate GraphQL fragments with your components, and more.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

From GraphQL Zero to GraphQL Hero with RedwoodJS
GraphQL Galaxy 2021GraphQL Galaxy 2021
32 min
From GraphQL Zero to GraphQL Hero with RedwoodJS
Top Content
Tom Pressenwurter introduces Redwood.js, a full stack app framework for building GraphQL APIs easily and maintainably. He demonstrates a Redwood.js application with a React-based front end and a Node.js API. Redwood.js offers a simplified folder structure and schema for organizing the application. It provides easy data manipulation and CRUD operations through GraphQL functions. Redwood.js allows for easy implementation of new queries and directives, including authentication and limiting access to data. It is a stable and production-ready framework that integrates well with other front-end technologies.
Local State and Server Cache: Finding a Balance
Vue.js London Live 2021Vue.js London Live 2021
24 min
Local State and Server Cache: Finding a Balance
Top Content
This Talk discusses handling local state in software development, particularly when dealing with asynchronous behavior and API requests. It explores the challenges of managing global state and the need for actions when handling server data. The Talk also highlights the issue of fetching data not in Vuex and the challenges of keeping data up-to-date in Vuex. It mentions alternative tools like Apollo Client and React Query for handling local state. The Talk concludes with a discussion on GitLab going public and the celebration that followed.
Batteries Included Reimagined - The Revival of GraphQL Yoga
GraphQL Galaxy 2021GraphQL Galaxy 2021
33 min
Batteries Included Reimagined - The Revival of GraphQL Yoga
Envelope is a powerful GraphQL plugin system that simplifies server development and allows for powerful plugin integration. It provides conformity for large corporations with multiple GraphQL servers and can be used with various frameworks. Envelope acts as the Babel of GraphQL, allowing the use of non-spec features. The Guild offers GraphQL Hive, a service similar to Apollo Studio, and encourages collaboration with other frameworks and languages.
Rock Solid React and GraphQL Apps for People in a Hurry
GraphQL Galaxy 2022GraphQL Galaxy 2022
29 min
Rock Solid React and GraphQL Apps for People in a Hurry
The Talk discusses the challenges and advancements in using GraphQL and React together. It introduces RedwoodJS, a framework that simplifies frontend-backend integration and provides features like code generation, scaffolding, and authentication. The Talk demonstrates how to set up a Redwood project, generate layouts and models, and perform CRUD operations. Redwood automates many GraphQL parts and provides an easy way for developers to get started with GraphQL. It also highlights the benefits of Redwood and suggests checking out RedwoodJS.com for more information.
Adopting GraphQL in an Enterprise
GraphQL Galaxy 2021GraphQL Galaxy 2021
32 min
Adopting GraphQL in an Enterprise
Today's Talk is about adopting GraphQL in an enterprise. It discusses the challenges of using REST APIs and the benefits of GraphQL. The Talk explores different approaches to adopting GraphQL, including coexistence with REST APIs. It emphasizes the power of GraphQL and provides tips for successful adoption. Overall, the Talk highlights the advantages of GraphQL in terms of efficiency, collaboration, and control over APIs.
Step aside resolvers: a new approach to GraphQL execution
GraphQL Galaxy 2022GraphQL Galaxy 2022
16 min
Step aside resolvers: a new approach to GraphQL execution
GraphQL has made a huge impact in the way we build client applications, websites, and mobile apps. Despite the dominance of resolvers, the GraphQL specification does not mandate their use. Introducing Graphast, a new project that compiles GraphQL operations into execution and output plans, providing advanced optimizations. In GraphFast, instead of resolvers, we have plan resolvers that deal with future data. Graphfast plan resolvers are short and efficient, supporting all features of modern GraphQL.