With StackHawk, engineering teams can run security tests against JS applications and the backing APIs to find and fix vulnerabilities before they hit production. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder Ryan Severns for a quick overview of JS application security testing with StackHawk.
Security Testing for JS Apps
Video Summary and Transcription
Stackhawk is an application security tool that focuses on dynamic application and API security testing. It is built on top of the open source ZAP project and designed for automation in CICD. Stackhawk provides a comprehensive set of tools for application security testing and bug fixing, including viewing findings, recreating requests, and easily fixing vulnerabilities. It allows for triaging findings and integrating with other engineering stacks. Visit stackhawk.com to sign up for a free account and learn more at docs.stackhawk.com.
1. Introduction to Stackhawk
Stackhawk is an application security tool built for finding, triaging, and fixing application security bugs. It focuses on dynamic application and API security testing, looking for exploitable open source vulnerabilities and vulnerabilities introduced by the application. Stackhawk is built on top of the open source ZAP project and is designed for automation in CICD. It allows you to scan your application using a YAML configuration file and a Docker scanner. The scans can be run anywhere, including locally or in a production environment. Stackhawk is highly performant, providing results quickly, and allows you to triage and fix any findings.
Hey there, TestJS. My name is Ryan Severance. I'm one of the founders of Stackhawk. We're an application security tool built to make it simple for developers to find, triage, and fix application security bugs.
We built this company because we know that software is being shipped to production faster than ever before, and application security tooling needs to be able to keep up with the pace of modern software development. So let me tell you a little bit about Stackhawk.
Stackhawk is a dynamic application and API security testing tool. So we run active security tests against your running application. You may be familiar with tools that look for open source vulnerabilities. Vulnerabilities in the open source libraries that you're using. We're huge fans of those tools. That's a little different than what we do. We look at the application. So we do find any exploitable open source vulnerabilities, and we also find anything that you or your team may have added into the application that is creating a vulnerability. We are built on top of the open source ZAP project. And ultimately, we are built for automation in CICD.
So we're big believers in running a security test in the pipeline, find and fix vulnerabilities before they hit production. And we make that really simple. So here's how it works. You start with scanning your application. You have a YAML based configuration file and a Docker based scanner. It allows you to run the scans anywhere. You can run it locally, run it in CICD, you can point it at your production environment and run the scan. And it crawls the app. We pull in OpenAPI spec, GraphQL, introspection endpoint. Ultimately, we were built for scanning modern applications and hit both the application and the underlying APIs. And then ultimately, we're very focused on performance app tech testing. So if you've used any of these tools in the past, some of the legacy tools, the scan times are measured in hours, not minutes. And so we are big believers in being very performant. Then once you've run a scan, take a look at any findings and triage and fix those findings.
2. Stackhawk Features and Integration
Stackhawk provides a comprehensive set of tools for application security testing and bug fixing. It offers features such as viewing findings, recreating requests, and easily fixing vulnerabilities. Stackhawk also allows for triaging findings and integrating with other engineering stacks. Visit stackhawk.com to sign up for a free account and learn more at docs.stackhawk.com.
So when you take a look at a finding, shows the the path that it was found on, you see the request that was sent in to the application, what the response was, giving evidence of the finding.
We have a button to create a curl command to go recreate that same request. It makes it really simple to step through the code, figure out where you might be mishandling something, and just drastically shortens the time to fix things.
A lot of application security findings are not that difficult to fix. It's just a matter of knowing where they are, being given the tools to go fix them. We have fixed documentation linked in the application as well. We make it really easy if there is a finding to fix it, get back to building the features that you're working on.
We also have a triage feature so that you can mark a finding as risk accepted, take a look at it, it's just not something that's worth fixing. Or maybe you've sent it to Jira, it's prioritized with your other engineering work. The scanner will still find it but it's not going to break the build, not going to be noisy. It allows you to manage how you want to deal with the security findings that do pop up.
And ultimately we're big believers in making it simple to integrate with the rest of your engineering stack. So we have lots of integrations and makes that simple.
So that's Stackhawk in a quick nutshell, would love for you to come check us out. You can sign up for a free account at stackhawk.com, you can check out our docs to learn a little bit more, that's docs.stackhawk.com. And feel free to reach out if you have any questions.
Check out more articles and videos
We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career
Workshops on related topic
In this three-hour workshop we’ll introduce React Testing Library along with a mental model for how to think about designing your component tests. This mental model will help you see how to test each bit of logic, whether or not to mock dependencies, and will help improve the design of your components. You’ll walk away with the tools, techniques, and principles you need to implement low-cost, high-value component tests.
Table of contents- The different kinds of React application tests, and where component tests fit in- A mental model for thinking about the inputs and outputs of the components you test- Options for selecting DOM elements to verify and interact with them- The value of mocks and why they shouldn’t be avoided- The challenges with asynchrony in RTL tests and how to handle them
Prerequisites- Familiarity with building applications with React- Basic experience writing automated tests with Jest or another unit testing framework- You do not need any experience with React Testing Library- Machine setup: Node LTS, Yarn
Tests rely on many conditions and are considered to be slow and flaky. On the other hand - end-to-end tests can give the greatest confidence that your app is working. And if done right - can become an amazing tool for boosting developer velocity.
Detox is a gray-box end-to-end testing framework for mobile apps. Developed by Wix to solve the problem of slowness and flakiness and used by React Native itself as its E2E testing tool.
Join me on this workshop to learn how to make your mobile end-to-end tests with Detox rock.
Prerequisites- iOS/Android: MacOS Catalina or newer- Android only: Linux- Install before the workshop
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.
We will cover writing tests, covering every application feature, structuring tests, intercepting network requests, and setting up the backend data.
Anyone who knows JavaScript programming language and has NPM installed would be able to follow along.