With StackHawk, engineering teams can run security tests against JS applications and the backing APIs to find and fix vulnerabilities faster. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder Scott Gerlach for a quick overview of application security testing with StackHawk.
Automated Application Security Testing with StackHawk
AI Generated Video Summary
StackHawk is a dynamic application security testing tool that runs active security tests against running applications. It integrates with CI platforms, provides scan results in Slack or Datadog, and allows for issue triaging and integration with JIRA. The StackHawk scanner identifies security issues like SQL injection and cross-site scripting, provides detailed findings, and offers remediation guidance. Start a free trial to improve software quality and integrate StackHawk into your development process.
1. Introduction to StackHawk
Short description:
StackHawk is a dynamic application security testing tool. It runs active security tests against your running applications to ensure they handle user input and output safely, and implement OWASP's Top 10 best practices. The scanner is configured via YAML and provides simple descriptions and examples of patterns to help you fix security issues quickly.
What's up, React Advanced London? I'm Scott Gerlach, Chief Security Officer and co-founder here at StackHawk. Quickly, StackHawk is a dynamic application security testing tool. You can use it to test your running HTTP applications and API endpoints for security bugs and keep them from becoming vulnerable. You can use StackHawk to run active security tests when you're running REST API, GraphQL API, SOAP API, Server-side Application and Single Page Applications.
StackHawk was built for automation and CICD to be part of your robust testing strategy for your application development lifecycle. It also makes finding, understanding and fixing security bugs easy. How does StackHawk work, you ask? Great question. StackHawk runs active security tests against your running applications to ensure that your application is handling user input and output in a safe manner, as well as implementing OWASP's Top 10 best practices for application security. We can do this against your running application on your local host, in CICD workflows, and that have yet to be published on the Internet.
We also made dynamic testing fast. By placing the scanner as close to the application as possible, and by using open standards to inform the scanner, OpenAPI spec, GraphQL, introspection queries, SOAP WSDL, in addition to the scanner tuning we've made, most StackHawk customer applications scan average around or under 10 minutes. Finding and fixing security issues is simple with StackHawk. Our focus as a company is to help developers find, and most importantly, fix security issues. The StackHawk scanner and platform are built around this simplicity model. The scanner is configured via YAML that lives with the code for the application that you're testing. When StackHawk findings are triaged, the platform is trying to give you the simplest version of the information needed to help you quickly understand what the problem is with simple descriptions and examples of patterns to help you identify the anti-pattern, be able to recreate the issue with tools like simple curl command to replay the attack, and get you into debug mode, stepping through code as fast as possible to help you fix issues and get back to your regular job of creating value for your customers.
2. StackHawk Integration and Scanner
Short description:
All of this is CICD enabled. You can integrate StackHawk into your CI process and get feedback on scan findings. StackHawk works with major CI platforms and can run in any platform that supports Docker. It integrates with your workflow and information tools, allowing you to receive scan results in Slack, Datadog, or via a webhook. Running the StackHawk scanner involves running a Docker command and providing the StackHawk YAML. The scanner performs a crawl and an attack to identify security issues, providing a summary of findings. You can address issues like SQL injection and cross-site scripting and track their status. The output in a CICD system would resemble the standard output, with a link to the scan results.
All of this is CICD enabled. Again, you can integrate this into your CI process and importantly, get feedback into the CI process on scan findings. This information can be used to break a build if you choose.
Most of the major CI Player logos are shown here on this slide, and even if your particular one isn't, chances are pretty good StackHawk will work in your platform as long as it can run a Docker container. If you can run Docker, you can run StackHawk.
You can also see here StackHawk integrates with your workflow and information tools. We can notify you of your scan results in a Slack channel, publish that information to Datadog, or send you a simple webhook message that you can then use to process and do with the data what you choose.
Let's take a look at what running the StackHawk scanner looks like. As you can see here, I've got a standard server side application. This one is a polls app that I want to test for security issues. So over here on my command line, I've got a simple Docker command that I ran. So Docker run StackHawk. I fed it the StackHawk yaml. We'll look at that in a second. As you can see, it did a standard crawl looking for all the interesting things on the webpage and then it did an attack. So it actively attacked this application for potential security issues. When it was all done, we've got a summary of these findings. So I've actually got a SQL injection issue that I need to take care of. You can see that it's new. I also have a cross site scripting issue that I've done something with before. I actually made a ticket out of this. So now it's in an assigned status. We've got a bunch of other things that we can look at as well. But let's take a look at those two. Down here at the bottom we actually have a link to this scan. So we can actually take this link and paste it into a browser. By the way, output in a CICD system would look very much like this because this is the standard output. So if you did choose to break a build, you would have this same link in CICD output. So we can go over here to our web browser and jump right into the scan that we're looking at. We were just looking at this exact same scan.
3. SQL Injection Issue and StackHawk Configuration
Short description:
We've identified a SQL injection issue and provided information on what SQL injection is, how to remediate it, and the risks it poses. We've also included links to language frameworks for preventing SQL injection. The StackHawk scanner allows you to view the request and response of the scanner, replay attacks, and validate findings. The StackHawk YAML is used to configure the scanner, specifying the application to test, environment, and application ID. Additional configurations can be made for authentication, handling cookies and CSRF tokens, and excluding certain scans. If time is limited, issues can be pushed to JIRA for prioritization. Triaged issues will no longer trigger alerts, and configured builds will continue as normal. Start a free trial at stackhawk.com to integrate StackHawk into your development process and improve software quality.
We've got the SQL injection issue that we can look at quickly. You can see that we've got a SQL injection issue. We're quickly describing what SQL injection is, how to remediate it, what it's about, and what risks it might pose to an application. We also have links to different language frameworks that show you the pattern of how to prevent SQL injection in Spring, Laravel, Django, and Rails so that you can help identify the anti-pattern that we're looking for.
Let's take a look at this particular issue here. We can see that on the polls SQL path, we have a POST method that has some kind of an issue. Over on our right-hand panel, we've got a request and response of what the scanner actually did and then came back with. We can see that the scanner made a request here against the application and it responded in some form or fashion. We can actually see that the scanner made a case when injection here. We can replay this if we wanted to. This is all helping you understand what the scanner is trying to do and what issue it thinks it's found. But interestingly, we've got this really cool validate button up here. As I mentioned before, this validate button gives you a curl command of exactly what the scanner did to identify this particular issue. You can copy and replay this attack against an application.
Let's take a look at that StackHawk YAML. Here you can see the code that I've used to build my polls application. Inside of this repository, I've also stored the StackHawk YAML. The StackHawk YAML is how you configure the StackHawk scanner. You can see the important information that's in here is where do I find the application I need to test? In this case, it's running on my local machine, so localhost 8020. What environment am I in and what is the application ID? That is the minimal amount of information you need to run a StackHawk scan against your application. There are other pieces of information that help tune the scanner to your application, such as authentication, how to handle cookies and CSRF tokens, as well as things you don't want the scanner to scan. If you wanted to add open API spec or GraphQL, minimal additional configuration is needed to make that happen, to point the scanner at those industry standard definitions of REST API and GraphQL.
Now let's say we don't have time to fix this particular issue. We need to get this feature out for our customer. But we do want to fix it. So we can push this quickly to a JIRA ticket. So I can send this to JIRA Cloud or JIRA Data Center ticket right now from this particular screen. So I can push this issue straight out to JIRA. And now I can prioritize that and bring it back out of the backlog when I'm ready to do it in the next sprint or in the next epoch. As you will see, this has now turned into a triaged status issue. So when we come back here to our summary of findings, you can see that our cross-site scripting has been triaged and our SQL injections have been triaged. The next time the scanner finds these things, it will remember that you have triaged them already and it will stop trying to bring your attention to it. If you've configured builds to break, this will undo the build break mechanism and your build will continue as normal.
I hope you enjoyed my talk today and perhaps learned something new about how StackHawk can be integrated into your development workflow. If you'd like to check out StackHawk and see how you can integrate it into your development process to keep pushing the limits on software development quality, you can always start a free trial at stackhawk.com and StackHawk is always free to use on a single application.
Comments