Security Testing for GraphQL Backed Applications

Hi there, GraphQL Galaxy. I'm Ryan Severns, one of the founders and COO of StackHawk. I'm here to tell you a little bit about what we do at StackHawk. We are an application security testing tool. We make it easy for developers to find and fix security bugs. And in particular, we have some really cool things around GraphQL. So I'll run you through that.

So like I said, we do application and the application security testing. We do testing of the underlying APIs as well. And part of that is GraphQL. If you're not familiar with application security testing, there's really three main types. One is software composition analysis. So it's looking at the open source components, looking for vulnerabilities there. Another is static code analysis. So it's looking at the code, looking for known error types within whatever language you're using. And what we do here at StackHawk is called dynamic application security testing. So we're running active tests against your application, against a running version of your application. And we test server-side HTML, REST APIs, single-page applications, and we test GraphQL as well. We are the only product that does active automated testing of GraphQL. There's a handful that do some best practices checking, making sure you're doing certain things that are known to be best practices from a security standpoint. We are the only ones who actively run a test against your GraphQL endpoints and look for potential security vulnerabilities.

Big belief for Stackhawk is automation in CICD. We believe that every time you open a pull request, an application security test should run. Make sure that you're not introducing any new vulnerabilities before it passes the build and goes on to production. Ultimately, we make finding and fixing the security vulnerabilities very simple. Let me tell you a little bit about how it works. It all starts with a YAML configuration file. Like I said, we describe what to scan. We have server-side HTML, single page apps, REST APIs, GraphQL. You describe what to scan.

If you have authentication for your application, you can configure that here. We also have all kinds of other customization in terms of how the scanner runs. The beauty about GraphQL is that the configuration is really simple. You can see in the image here, you mark GraphQL enabled equals true and point it to the schema path of your introspection endpoint. You can also control certain things around which operations you're testing, the depth of recursion. There's a lot that you can customize there.

Then you kick off a scan with this Docker run Hawk scan command. This GIF will cycle through and show us a preview of it. The beauty of it running in Docker is it can run anywhere. It can run locally on your machine as you're developing. Super easy to implement in CICD. You can point it at a production application. I always say use caution because this is running an active security test and trying to find input validation errors among other things. It does try to input data into your database. Which is why we always advise test this on test this preproduction in a CICD environment.

It's super fast AppSec testing. You can see results in the terminal. Which is great for CICD logs. And it always has a link out to the two of the findings within the StackHawk app. Which I'll show you next. And that helps for where you go when you actually need to fix a bug. So, you jump into the StackHawk app. First thing I say is we are big believers in integrating with developer tools. We integrate with Slack, with Jira. Alerting in Slack, managing your issues in Jira. And really only land in StackHawk when there's a vulnerability you need to fix. And when you do end up there, we make it really easy to jump in. Figure out the context of what that bug is. We have a description of what the vulnerability is. We have links to fix documentation, so you know how to fix it.

And then we provide all of the information, the request that was sent to the application, the response, and a simple curl command to go recreate that as you step through the code in debug mode, to figure out where you're mishandling the data.

And then one nice thing is there's finding triage for CICD instrumentation. So it might break the build if you've introduced a new vulnerability. And if it ultimately is low risk, maybe you're not going to fix it or maybe it's something that will be prioritized in an upcoming sprint, you can send it to Jira, you can mark it as risk-accepted. The scanner will still find it, but it won't break the build every time.

So that's a quick overview of StackHawk in a nutshell. We would love for you to come test this out, so you can sign up for a free single user account if you want to test your own applications at stackhawk.com. We also have free trials for our team product. Same product, you just have extra users and collaborate with teammates. And be sure to swing by our booth here at GraphQL Galaxy. We are giving away t-shirts, entries to win a Nintendo Switch, and we would love to chat with you more. All right.