Automated Application Security Testing

Rate this content
Bookmark

Traditional security testing for JS apps has focused on the front-end, but actual security issues most often lie in the backing REST API. Join StackHawk co-founder Scott Gerlach for a quick overview of why you need to rethink how you test your JS apps and how StackHawk can help you find and fix security bugs fast.

9 min
24 Mar, 2022

Comments

Sign in or register to post your comment.

AI Generated Video Summary

StackHawk is a dynamic application security testing tool that helps you find and fix security bugs in your running applications. It runs active security tests on your REST API, GraphQL API, SOAP API, server-side application, and single-page applications. StackHawk ensures that your application handles user input and output safely and follows OWASP top 10 best practices for application security. We make dynamic testing fast by placing the scanner close to the application and using open standards to inform the scanner. The scanner is configured via YAML, and findings are triaged to provide simple descriptions and examples for issue identification and resolution. You can push the identified issues to a JIRA ticket for prioritization and resolution. Once triaged, the scanner will remember the issues and stop notifying you. Start a free trial at stackhawk.com to experience its benefits.

1. Introduction to StackHawk

Short description:

StackHawk is a dynamic application security testing tool that helps you find and fix security bugs in your running applications. It runs active security tests on your REST API, GraphQL API, SOAP API, server-side application, and single-page applications. StackHawk ensures that your application handles user input and output safely and follows OWASP top 10 best practices for application security.

What's up DevOpsJS people? Scott Kerlock, CSO and co-founder here at StackHawk. I hope you're having a great time learning a ton here at DevOpsJS.

Let's talk about StackHawk. Quickly, StackHawk is a dynamic application security testing tool. You can use it to test your running HTTP applications and API endpoints for security bugs and keep them from becoming vulnerable. You can use StackHawk to run active security tests on your running REST API, GraphQL API, SOAP API, server-side application, and single-page applications.

StackHawk was built for automation and CICD to be part of your robust testing strategy for your application development lifecycle. It also makes finding, understanding, and fixing security bugs easy. How does StackHawk work you ask? Great question! StackHawk runs active security tests against your running applications to ensure that your application is handling user input and output in a safe manner, as well as implementing OWASP top 10 best practices for application security. We can do this against your running application on your localhost, in CICD workflows, and against applications that have yet to be published on the internet.

2. StackHawk Scanner and Integration

Short description:

We make dynamic testing fast by placing the scanner close to the application and using open standards to inform the scanner. StackHawk focuses on helping developers find and fix security issues with a simple and integrated scanner and platform. The scanner is configured via YAML, and findings are triaged to provide simple descriptions and examples for issue identification and resolution. StackHawk is CICD enabled and integrates with major CI platforms. It also integrates with workflow and information tools, providing notifications and data processing options. Running the StackHawk scanner involves executing a Docker command, performing a crawl and attack, and generating a summary of findings.

We also make dynamic testing fast. By placing the scanner as close to the application as possible and by using open standards to inform the scanner, OpenAPI spec, GraphQL, introspection queries, SOAP, WSDL in addition to the scanner tuning we've made, most StackHawk customer applications scan average around or under 10 minutes.

Finding and fixing security issues is simple with StackHawk. Our focus as a company is to help developers find and most importantly fix security issues. The StackHawk scanner and platform are built around this simplicity model. The scanner is configured via YAML that lives with the code for the application that you're testing.

When StackHawk findings are triaged, the platform is trying to give you the simplest version of the information needed to help you quickly understand what the problem is with simple descriptions and examples of patterns to help you identify the anti-pattern, be able to recreate the issue with tools like simple curl command to replay the attack and get you into debug mode, stepping through code as fast as possible to help you fix issues and get back to your regular job of creating value for your customers.

All of this is CICD enabled. Again, you can integrate this into your CI process and importantly get feedback into the CI process on scan findings. This information can be used to break a build if you choose, based on severity of un-triage findings. Most of the major CI player logos are shown here on this slide and even if your particular one isn't, chances are pretty good StackHawk will work in your platform as long as it can run a docker container. If you can run Docker, you can run StackHawk.

You can also see here StackHawk integrates with your workflow and information tools. We can notify you of your scan results in a Slack channel, publish that information to DataDog or send you a simple webhook message that you can then use to process and do with the data what you choose.

Let's take a look at what running the StackHawk scanner looks like. As you can see here, I've got a standard server-side application. This one is a polls app that I want to test for security issues. So over here on my command line, I've got a simple Docker command that I ran. So docker run stackhawk. I fed it the stackhawk yaml, we'll look at that in a second. As you can see, it did a standard crawl looking for all the interesting things on the webpage that it could and then it did an attack. So it actively attacked this application for potential security issues. When it was all done, we've got a summary of these findings. So I've actually got a SQL ejection issue that I need to take care of. You can see that it's new. I also have a cross-site scripting issue that I've done something with before. I actually made a ticket out of this. So now it's in an assigned status. We've got a bunch of other things that we can look at as well, but let's take a look at those too. Down here at the bottom, we actually have a link to this scan.

3. Analyzing Scan Results and Configuring the Scanner

Short description:

You can take the link and paste it into a browser to view the scan. The scan shows a SQL injection issue, along with information on how to remediate it and prevent SQL injection in different frameworks. The scanner provides a request and response analysis, allowing you to understand the issue and even replay the attack. The StackHawk YAML is used to configure the scanner, specifying the application's location, environment, and ID. Additional configuration options include authentication, handling cookies and CSRF tokens, and excluding specific areas from scanning.

So we can actually take this link and paste it into a browser. By the way, output in a CICD system would look very much like this because this is the standard output. So if you did choose to break a build, you would have the same link in CICD output.

So we can go over here to our web browser and jump right into the scan that we were looking at. We were just looking at this exact same scan. We've got the SQL injection issue that we can look at quickly. You can see that we've got a SQL injection issue. We're quickly describing what SQL injection is, how to remediate it, what it's about, and what risks it might pose to an application. We also have links to different language frameworks that show you the pattern of how to prevent SQL injection in Spring, Laravel, Django, and Rails so that you can help identify the anti-pattern that we're looking for.

Let's take a look at this particular issue here. We can see that on the polls SQL path, we have a post method that has some kind of an issue. Over on our right-hand panel, we've got a request and response of what the scanner actually did and then came back with. We could see that the scanner made a request here against the application, and it responded in some form or fashion. We can actually see that the scanner made a case-when injection here. We could replay this if we wanted to. This is all helping you understand what the scanner is trying to do and what issue it thinks it's found. But interestingly, we've got this really cool validate button up here. As I mentioned before, this validate button gives you a curl command of exactly what the scanner did to identify this particular issue. So you can copy and replay this attack against an application.

Let's take a look at that StackHawk YAML. Here you can see the code that I've used to build my polls application. Inside of this repository I've also stored the StackHawk YAML. The StackHawk YAML is how you configure the StackHawk scanner. So you can see the important information that's in here is where do I find the application I need to test? In this case, it's running on my local machine. So localhost 8020. What environment am I in and what is the application ID? That is the minimal amount of information you need to run a StackHawk scan against your application. There are other pieces of information that help tune the scanner to your application, such as authentication, how to handle cookies and CSRF tokens, as well as things you don't want the scanner to scan. If you wanted to add OpenAPI spec or GraphQL, minimal additional configuration is needed to make that happen to point the scanner at those industry standard definitions of REST API and GraphQL. Now let's say we don't have time to fix this particular issue. We need to get this feature out for our customer, but we do want to fix it.

4. Pushing to JIRA and Conclusion

Short description:

You can push the identified issues to a JIRA ticket for prioritization and resolution. Once triaged, the scanner will remember the issues and stop notifying you. If you have configured builds to break, this mechanism will be undone. I hope you enjoyed the talk and learned about integrating StackHawk into your development workflow. Start a free trial at stackhawk.com to experience its benefits. Thanks for watching and have a great time at DevOpsJS.

So we can push this quickly to a JIRA ticket. So I can send this to a JIRA Cloud or JIRA Data Center ticket right now from this particular screen. So I can push this issue straight out to JIRA and now I can prioritize that and bring it back out of the backlog when I'm ready to do it in the next Sprint or in the next EPIC.

As you will see, this has now turned into a triaged status issue. So when we come back here to our summary of findings, you can see that our Cross-Site scripting has been triaged and our SQL injections have been triaged. The next time the scanner finds these things, it will remember that you have triaged them already and it will stop trying to bring your attention to it. If you've configured builds to break this will undo the build break mechanism and your build will continue as normal.

I hope you enjoyed my talk today and perhaps learned something new about how StackHawk can be integrated into your development workflow. If you'd like to check out StackHawk and see how you can integrate it into your development process to keep pushing the limits on software development quality, you can always start a free trial at stackhawk.com and StackHawk is always free to use on a single application. That's my time, thanks for watching. I hope you have a great time at DevOpsJS.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.
You can check the slides for Feross' talk here.
React Advanced Conference 2021React Advanced Conference 2021
19 min
Automating All the Code & Testing Things with GitHub Actions
Code tasks like linting and testing are critical pieces of a developer’s workflow that help keep us sane like preventing syntax or style issues and hardening our core business logic. We’ll talk about how we can use GitHub Actions to automate these tasks and help keep our projects running smoothly.
DevOps.js Conf 2022DevOps.js Conf 2022
33 min
Fine-tuning DevOps for People over Perfection
Demand for DevOps has increased in recent years as more organizations adopt cloud native technologies. Complexity has also increased and a "zero to hero" mentality leaves many people chasing perfection and FOMO. This session focusses instead on why maybe we shouldn't adopt a technology practice and how sometimes teams can achieve the same results prioritizing people over ops automation & controls. Let's look at amounts of and fine-tuning everything as code, pull requests, DevSecOps, Monitoring and more to prioritize developer well-being over optimization perfection. It can be a valid decision to deploy less and sleep better. And finally we'll examine how manual practice and discipline can be the key to superb products and experiences.
DevOps.js Conf 2022DevOps.js Conf 2022
27 min
Why is CI so Damn Slow?
We've all asked ourselves this while waiting an eternity for our CI job to finish. Slow CI not only wrecks developer productivity breaking our focus, it costs money in cloud computing fees, and wastes enormous amounts of electricity. Let’s take a dive into why this is the case and how we can solve it with better, faster tools.
DevOps.js Conf 2022DevOps.js Conf 2022
31 min
The Zen of Yarn
In the past years Yarn took a spot as one of the most common tools used to develop JavaScript projects, in no small part thanks to an opinionated set of guiding principles. But what are they? How do they apply to Yarn in practice? And just as important: how do they benefit you and your projects?
In this talk we won't dive into benchmarks or feature sets: instead, you'll learn how we approach Yarn’s development, how we explore new paths, how we keep our codebase healthy, and generally why we think Yarn will remain firmly set in our ecosystem for the years to come.

Workshops on related topic

TestJS Summit 2023TestJS Summit 2023
48 min
API Testing with Postman Workshop
WorkshopFree
In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman.
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
TestJS Summit 2023TestJS Summit 2023
89 min
Building out a meaningful test suite that's not all E2E
Workshop
We're all taught to follow the Testing Pyramid but the reality is that we build out the Testing Christmas Tree. In this workshop, David will talk you through how to break down projects and put the tests where they need to be. By the end of the workshop you will be able to update your projects so that anyone and everyone can start contributing and truly living up to "Quality is everyone job".
He will walk you through:- Component Testing- API Testing- Visual Regression Testing- A11Y testing
He will also talk you through how to get these all setup in your CI/CD pipeline so that you can get shorter and faster feedback loops.
DevOps.js Conf 2022DevOps.js Conf 2022
152 min
MERN Stack Application Deployment in Kubernetes
Workshop
Deploying and managing JavaScript applications in Kubernetes can get tricky. Especially when a database also has to be part of the deployment. MongoDB Atlas has made developers' lives much easier, however, how do you take a SaaS product and integrate it with your existing Kubernetes cluster? This is where the MongoDB Atlas Operator comes into play. In this workshop, the attendees will learn about how to create a MERN (MongoDB, Express, React, Node.js) application locally, and how to deploy everything into a Kubernetes cluster with the Atlas Operator.
TestJS Summit 2021TestJS Summit 2021
85 min
Automated accessibility testing with jest-axe and Lighthouse CI
Workshop
Do your automated tests include a11y checks? This workshop will cover how to get started with jest-axe to detect code-based accessibility violations, and Lighthouse CI to validate the accessibility of fully rendered pages. No amount of automated tests can replace manual accessibility testing, but these checks will make sure that your manual testers aren't doing more work than they need to.