With StackHawk, engineering teams can run security tests against JS applications and the backing APIs to find and fix vulnerabilities before they hit production. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder Ryan Severns for a quick overview of JS application security testing with StackHawk.
This talk has been presented at TestJS Summit - January, 2021, check out the latest edition of this JavaScript Conference.
Stackhawk is an application security tool designed to help developers find, triage, and fix security bugs in applications and APIs. It runs active security tests against live applications, differentiating itself from tools that only scan for open source vulnerabilities.
Stackhawk uses a YAML-based configuration and a Docker-based scanner to scan your application, whether locally, in CI/CD, or in a production environment. It analyzes both the application and its underlying APIs, identifies security issues, and provides tools and documentation to fix them efficiently.
Unlike tools that only check for vulnerabilities in open source libraries, Stackhawk focuses on the security of the entire application, including custom code. It is built on the open source ZAP project and is optimized for integration into CI/CD pipelines for continuous security testing.
Yes, Stackhawk is designed for automation within CI/CD pipelines, enabling developers to run security tests as part of the development process and fix vulnerabilities before they reach production.
Stackhawk provides detailed information on where each vulnerability is located within the application, includes a curl command to recreate the issue, and links to fix documentation. This helps developers understand and resolve issues quickly and efficiently.
Stackhawk is engineered to perform scans quickly, focusing on efficiency to ensure that scan times are measured in minutes rather than hours, which helps streamline the security testing process in fast-paced development environments.
Yes, Stackhawk includes a triage feature that allows developers to mark findings as 'risk accepted' or prioritize them for fixing. This helps manage security findings effectively without disrupting the development workflow.
Developers can sign up for a free account at stackhawk.com and begin using the tool by configuring their application's scan settings in a YAML file and running the Docker-based scanner as needed.
Stackhawk is an application security tool built for finding, triaging, and fixing application security bugs. It focuses on dynamic application and API security testing, looking for exploitable open source vulnerabilities and vulnerabilities introduced by the application. Stackhawk is built on top of the open source ZAP project and is designed for automation in CICD. It allows you to scan your application using a YAML configuration file and a Docker scanner. The scans can be run anywhere, including locally or in a production environment. Stackhawk is highly performant, providing results quickly, and allows you to triage and fix any findings.
Hey there, TestJS. My name is Ryan Severance. I'm one of the founders of Stackhawk. We're an application security tool built to make it simple for developers to find, triage, and fix application security bugs.
We built this company because we know that software is being shipped to production faster than ever before, and application security tooling needs to be able to keep up with the pace of modern software development. So let me tell you a little bit about Stackhawk.
Stackhawk is a dynamic application and API security testing tool. So we run active security tests against your running application. You may be familiar with tools that look for open source vulnerabilities. Vulnerabilities in the open source libraries that you're using. We're huge fans of those tools. That's a little different than what we do. We look at the application. So we do find any exploitable open source vulnerabilities, and we also find anything that you or your team may have added into the application that is creating a vulnerability. We are built on top of the open source ZAP project. And ultimately, we are built for automation in CICD.
So we're big believers in running a security test in the pipeline, find and fix vulnerabilities before they hit production. And we make that really simple. So here's how it works. You start with scanning your application. You have a YAML based configuration file and a Docker based scanner. It allows you to run the scans anywhere. You can run it locally, run it in CICD, you can point it at your production environment and run the scan. And it crawls the app. We pull in OpenAPI spec, GraphQL, introspection endpoint. Ultimately, we were built for scanning modern applications and hit both the application and the underlying APIs. And then ultimately, we're very focused on performance app tech testing. So if you've used any of these tools in the past, some of the legacy tools, the scan times are measured in hours, not minutes. And so we are big believers in being very performant. Then once you've run a scan, take a look at any findings and triage and fix those findings.
Stackhawk provides a comprehensive set of tools for application security testing and bug fixing. It offers features such as viewing findings, recreating requests, and easily fixing vulnerabilities. Stackhawk also allows for triaging findings and integrating with other engineering stacks. Visit stackhawk.com to sign up for a free account and learn more at docs.stackhawk.com.
So when you take a look at a finding, shows the the path that it was found on, you see the request that was sent in to the application, what the response was, giving evidence of the finding.
We have a button to create a curl command to go recreate that same request. It makes it really simple to step through the code, figure out where you might be mishandling something, and just drastically shortens the time to fix things.
A lot of application security findings are not that difficult to fix. It's just a matter of knowing where they are, being given the tools to go fix them. We have fixed documentation linked in the application as well. We make it really easy if there is a finding to fix it, get back to building the features that you're working on.
We also have a triage feature so that you can mark a finding as risk accepted, take a look at it, it's just not something that's worth fixing. Or maybe you've sent it to Jira, it's prioritized with your other engineering work. The scanner will still find it but it's not going to break the build, not going to be noisy. It allows you to manage how you want to deal with the security findings that do pop up.
And ultimately we're big believers in making it simple to integrate with the rest of your engineering stack. So we have lots of integrations and makes that simple.
So that's Stackhawk in a quick nutshell, would love for you to come check us out. You can sign up for a free account at stackhawk.com, you can check out our docs to learn a little bit more, that's docs.stackhawk.com. And feel free to reach out if you have any questions.
We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career
TestJS Summit 2021
TestJS Summit 2021
TestJS Summit 2022
TestJS Summit 2021
TestJS Summit 2021
TestJS Summit 2023
React Summit 2023TestJS Summit 2022React Summit 2022TestJS Summit 2023
React Summit US 2023
TestJS Summit - January, 2021
Comments