GraphQL Security Testing Technical Workshop

Rate this content
Bookmark

We’ve all heard the buzz around pushing application security into the hands of developers, but if you’re like most companies, it has been hard to actually make this a reality. You aren’t alone – putting the culture, processes, and tooling in place to make this happen is tough – especially for sophisticated applications like those backed GraphQL. In this hands-on technical session, StackHawk Senior DevOps Engineer, Zachary Conger, will walk through how to protect your GraphQL APIs from vulnerabilities using automated security testing. Get ready to roll-up your sleeves for automated AppSec testing.

Zachary Conger
Zachary Conger
104 min
06 Dec, 2021

Comments

Sign in or register to post your comment.

Video Summary and Transcription

Today's workshop covers Automated GraphQL Security Testing using tools like Dependabot, CodeQL, and StackHawk. It explores security tests such as software composition analysis and static application security testing. The workshop demonstrates setting up GitHub Actions workflows, enabling Dependabot for dependency security, and configuring CodeQL analysis. It also highlights the use of StackHawk for automated penetration testing and optimizing the scanning process. The workshop emphasizes the importance of continuous testing and security measures in software development.

Available in Español

1. Introduction to Automated GraphQL Security Testing

Short description:

Today's workshop is about Automated GraphQL Security Testing. We will cover various security tests, including software composition analysis (SCA) and static application security testing (SAS). We'll use tools like Dependabot and CodeQL to scan for vulnerabilities in your dependencies and code base. These tests will be automated in the CI/CD pipeline. Let's get started by forking a GraphQL application repository and adding security tests to it.

The following videos are extracts of this series. Today, the title is Automated GraphQL Security Testing. And my name is Zachary Conger. I'm a senior DevOps engineer at StackHawk, and I work as a company manager for StackHawk. And my main role is to help you have a DAST product, a dynamic application security test scanner. I'm a DevOps early adopter. I've been doing software development, automation, testing, observability, that kind of stuff for many years now, far too many years. And in my spare time, I like to play music, ride my bike and take amateur photographs.

I'm really, really super helpful with any technical issues that will come up. But hopefully there won't be too many, because again, we're gonna be operating completely out of a web browser, which is pretty much all you need today. One last time, you should go get the workshop guidebook, there's a link in Discord and in the Zoom chat. We're gonna be using Discord, so get on Discord if you're not there already. We'll be using it for polls and checkpoints, so as we get to certain points in the workshop, we'll stop and say, hey, has everybody caught up? And you give us a thumbs up if you are and thumbs down if you are not. Really helps with the flow and making sure that everybody can get the most out of the workshop. And finally, if you don't have a GitHub account, go to github.com and sign up.

Here's the agenda for today. We are going to take a GraphQL application. It's a simple test GraphQL application that really doesn't do very much other than provide a graphical interface. It's like a little blog engine, simple blog engine. It's got some vulnerabilities in it. What we're gonna do is all of us are gonna fork that repository to our own GitHub account, then we're gonna add GitHub Actions workflow to automate the build of that application in GitHub Actions. Then we're gonna start adding security tests to that workflow so that every time you push code to the GitHub repo, you're gonna run some more tests against it. So the first test, actually, some of these are workflow-based and others are more automatic than that, they just happen in the background. So Dependabot is the first test that we'll add, which will test your application for known vulnerabilities and any dependencies that you pull in. The next one will be CodeQL, which will scan the app's code base, actually, it parks through all of the code and looks for patterns that indicate vulnerabilities. And then, finally, we're gonna add Stackhawk, which will dynamically scan the running application for vulnerabilities. And this all happens in the CICD pipeline, so it's automatic on every push.

Okay, so I mentioned these forms of testing and let me go through them in a little bit more detail. This workshop is supposed to be kind of general, but we are using some specific tools. Of course, Stackhawk is one of them and I'm from Stackhawk. We think it's the best DAST tool out there, but there are other options and the point of this workshop is to make you aware of all of them, or many of them. So the first kind of test that we're gonna do is called SCA or software composition analysis. And in this form of testing, it operates on static code and it goes through your dependencies. It looks at your, in this case, we're gonna look at the package.json file and the package lock.json file, and we're gonna look, it's gonna build out the dependency chain and check those all against the catalog of open source libraries and dependencies and report on any known vulnerabilities in any of those library versions. And if it finds any, it's gonna give you a plan of action to fix that. So SCA has become sort of a table stakes standard thing that you should do in all of your repositories. There are no false positives in a sense because all of the vulnerabilities that it finds are known vulnerabilities and it's really fast and it's really easy and it's generally free. Most of the outfits out there that offer SCA offer a free plan or a pretty cheap plan. So we're gonna use Dependabot today, but there's other really great options out there. Sneak is one of the best, actually. I may actually, we may actually pull Sneak in as the SCA option that we do in the future. Dependabot's really nice too. And then there's another version out there, an open source version called FASA, they also have a commercial backed option. The next kind of testing that we're gonna add to our application is called SAS or Static Application Security Testing. An examples of this are CodeQL, which we're gonna be using today. There's also SonarQube and CheckMarks and a number of other good options. If you just search Google for SAS, you'll find lots of options out there. This kind of testing also operates on static code, but it's not looking at your dependencies at all. It's actually looking through your code base and it's looking for patterns that would indicate that you might have a vulnerability. Perhaps you're not doing any sanitization of inputs, for instance, it would generally find that kind of problem and report it back to you.

2. DAST and GitHub Actions

Short description:

DAST is a dynamic application security testing method that scans running code for vulnerabilities. It sends requests to the application, analyzes the responses, and reports suspected vulnerabilities. Unlike SAST, DAST has lower false positives and finds more useful issues. However, it can be slow, depending on the size and responsiveness of the application. We'll also explore GitHub Actions, a CI/CD pipeline integrated into GitHub, with a marketplace of actions that simplify complex steps. We'll use GitHub Actions to fork a test application and create a workflow with multiple steps. Each step can run shell commands or use actions from the marketplace, and secrets management is built-in.

It's really neat because as it finds your bugs, it can actually pinpoint them by file and by line. So it can let you know exactly where the problem is. It does tend to have kind of high false positives. And I found in my experience that it doesn't find much that's useful in comparison to other tools. But that's improving every day as these tools improve.

It's also kind of slow, cause it needs to compile your code and search through it and query against it. The larger your code base, the slower it gets.

Finally, we're going to be looking at DAST, dynamic application security testing. And there's several examples of this kind of scanner. Ours is called Stackhawk. That's what we'll be using today. Others include OASP Zap, which is an open-source project that Stackhawk is actually based on, we've built on top of OASP Zap. There's also Burp Suite, which is one that probably a lot of people know as a very common pen testing tool. And they've been working on making it easier to automate as well.

So dynamic application security testing is a form of scanning that operates on your running code. So typically this is a web-based application, maybe a REST interface in our case today. It's a GraphQL interface. And it just runs, it runs, it probes that service for vulnerabilities. It sends in requests, it looks at the responses and based on the responses that it gets, it tries to determine if there's some form of vulnerability. It reports on those suspected vulnerabilities. And instead of giving you line-by-line details, it gives you the input and output that caused the scanner to think that there is a problem with your code. Like SAST, it finds your bugs, but unlike SAST it tends to have lower false positives and it finds more really useful stuff. And in fact, because it's scanning a running application you can have some confidence that things that it finds are really things that are exposed in your application and exploitable in the wild. As long as what you're testing really represents what you're going to be running out in production. It can be a bit slow. That's one of the downsides of DAS. But that's kind of a function of how big your application is, how responsive it is, how close the scanner is to the running application. And even if it's fairly slow, there's usually ways that you can break it down and parallelize the scan to make it faster.

Okay, so that's what we're gonna be looking at today. And I think from there, we're gonna jump into starting out by, yeah, we're gonna look at GitHub Actions. So the first step in our plan is we're gonna fork a test application called phone GraphQL API. And we're gonna create a GitHub Actions workflow for it to build it basically in a CI CD pipeline built into GitHub.

So GitHub Actions is a CI CD pipeline built into GitHub, has a simple YAML configuration language and a huge marketplace of actions, which are like plugins. And this is kind of the genius of GitHub Actions in my opinion, that they created a really easy way for authors to create actions to make otherwise complex steps really easy through these little actions that you can add. So we'll use a couple of those actions. We're gonna use a stack hoc action, a code QL action, and so forth. But it's a really neat system. It's event driven, generally based on pushes, PRs, but you can have arbitrary web hooks as well, kickoff events. And for each workflow that you create, they call them workflows. Within a workflow, a single workflow will fire up a single runner. And by default, that happens in the GitHub cloud. They actually have VMs that will pop up for you in their own cloud. And then within a workflow, which instantiates a runner, you can have multiple jobs, which can run in parallel or can trigger one another, they can be ordered. And within each job, you've got a number of steps that run in sequence. So we're just gonna do a single workflow, single job, and a couple of steps in our workflow. So simple example. And then each step can be either to run a shell command, you can have Windows based runners, and you can have Linux based runners. So you can either run a simple shell command or run an action from the GitHub Actions marketplace. And we'll do a little bit of both. There's a built in secrets management solution in GitHub Actions, which is gonna come in handy because we're gonna use that to stash a secret API key.

QnA

Watch more workshops on topic

Build with SvelteKit and GraphQL
GraphQL Galaxy 2021GraphQL Galaxy 2021
140 min
Build with SvelteKit and GraphQL
Top Content
Featured WorkshopFree
Scott Spence
Scott Spence
Have you ever thought about building something that doesn't require a lot of boilerplate with a tiny bundle size? In this workshop, Scott Spence will go from hello world to covering routing and using endpoints in SvelteKit. You'll set up a backend GraphQL API then use GraphQL queries with SvelteKit to display the GraphQL API data. You'll build a fast secure project that uses SvelteKit's features, then deploy it as a fully static site. This course is for the Svelte curious who haven't had extensive experience with SvelteKit and want a deeper understanding of how to use it in practical applications.

Table of contents:
- Kick-off and Svelte introduction
- Initialise frontend project
- Tour of the SvelteKit skeleton project
- Configure backend project
- Query Data with GraphQL
- Fetching data to the frontend with GraphQL
- Styling
- Svelte directives
- Routing in SvelteKit
- Endpoints in SvelteKit
- Deploying to Netlify
- Navigation
- Mutations in GraphCMS
- Sending GraphQL Mutations via SvelteKit
- Q&A
End-To-End Type Safety with React, GraphQL & Prisma
React Advanced Conference 2022React Advanced Conference 2022
95 min
End-To-End Type Safety with React, GraphQL & Prisma
Featured WorkshopFree
Sabin Adams
Sabin Adams
In this workshop, you will get a first-hand look at what end-to-end type safety is and why it is important. To accomplish this, you’ll be building a GraphQL API using modern, relevant tools which will be consumed by a React client.
Prerequisites: - Node.js installed on your machine (12.2.X / 14.X)- It is recommended (but not required) to use VS Code for the practical tasks- An IDE installed (VSCode recommended)- (Good to have)*A basic understanding of Node.js, React, and TypeScript
GraphQL for React Developers
GraphQL Galaxy 2022GraphQL Galaxy 2022
112 min
GraphQL for React Developers
Featured Workshop
Roy Derks
Roy Derks
There are many advantages to using GraphQL as a datasource for frontend development, compared to REST APIs. We developers in example need to write a lot of imperative code to retrieve data to display in our applications and handle state. With GraphQL you cannot only decrease the amount of code needed around data fetching and state-management you'll also get increased flexibility, better performance and most of all an improved developer experience. In this workshop you'll learn how GraphQL can improve your work as a frontend developer and how to handle GraphQL in your frontend React application.
Build a Headless WordPress App with Next.js and WPGraphQL
React Summit 2022React Summit 2022
173 min
Build a Headless WordPress App with Next.js and WPGraphQL
Top Content
WorkshopFree
Kellen Mace
Kellen Mace
In this workshop, you’ll learn how to build a Next.js app that uses Apollo Client to fetch data from a headless WordPress backend and use it to render the pages of your app. You’ll learn when you should consider a headless WordPress architecture, how to turn a WordPress backend into a GraphQL server, how to compose queries using the GraphiQL IDE, how to colocate GraphQL fragments with your components, and more.
API Testing with Postman Workshop
TestJS Summit 2023TestJS Summit 2023
48 min
API Testing with Postman Workshop
Top Content
WorkshopFree
Pooja Mistry
Pooja Mistry
In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman.
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.
Relational Database Modeling for GraphQL
GraphQL Galaxy 2020GraphQL Galaxy 2020
106 min
Relational Database Modeling for GraphQL
Top Content
WorkshopFree
Adron Hall
Adron Hall
In this workshop we'll dig deeper into data modeling. We'll start with a discussion about various database types and how they map to GraphQL. Once that groundwork is laid out, the focus will shift to specific types of databases and how to build data models that work best for GraphQL within various scenarios.
Table of contentsPart 1 - Hour 1      a. Relational Database Data Modeling      b. Comparing Relational and NoSQL Databases      c. GraphQL with the Database in mindPart 2 - Hour 2      a. Designing Relational Data Models      b. Relationship, Building MultijoinsTables      c. GraphQL & Relational Data Modeling Query Complexities
Prerequisites      a. Data modeling tool. The trainer will be using dbdiagram      b. Postgres, albeit no need to install this locally, as I'll be using a Postgres Dicker image, from Docker Hub for all examples      c. Hasura

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

From GraphQL Zero to GraphQL Hero with RedwoodJS
GraphQL Galaxy 2021GraphQL Galaxy 2021
32 min
From GraphQL Zero to GraphQL Hero with RedwoodJS
Top Content
We all love GraphQL, but it can be daunting to get a server up and running and keep your code organized, maintainable, and testable over the long term. No more! Come watch as I go from an empty directory to a fully fledged GraphQL API in minutes flat. Plus, see how easy it is to use and create directives to clean up your code even more. You're gonna love GraphQL even more once you make things Redwood Easy!
Local State and Server Cache: Finding a Balance
Vue.js London Live 2021Vue.js London Live 2021
24 min
Local State and Server Cache: Finding a Balance
Top Content
How many times did you implement the same flow in your application: check, if data is already fetched from the server, if yes - render the data, if not - fetch this data and then render it? I think I've done it more than ten times myself and I've seen the question about this flow more than fifty times. Unfortunately, our go-to state management library, Vuex, doesn't provide any solution for this.For GraphQL-based application, there was an alternative to use Apollo client that provided tools for working with the cache. But what if you use REST? Luckily, now we have a Vue alternative to a react-query library that provides a nice solution for working with server cache. In this talk, I will explain the distinction between local application state and local server cache and do some live coding to show how to work with the latter.
Batteries Included Reimagined - The Revival of GraphQL Yoga
GraphQL Galaxy 2021GraphQL Galaxy 2021
33 min
Batteries Included Reimagined - The Revival of GraphQL Yoga
The Guild has recently released Envelop - a new, modern GraphQL Server Framework and plugin system. In this talk I’ll share a brief overview of Envelop and why you should probably upgrade your existing GraphQL server to it.
Rock Solid React and GraphQL Apps for People in a Hurry
GraphQL Galaxy 2022GraphQL Galaxy 2022
29 min
Rock Solid React and GraphQL Apps for People in a Hurry
In this talk, we'll look at some of the modern options for building a full-stack React and GraphQL app with strong conventions and how this can be of enormous benefit to you and your team. We'll focus specifically on RedwoodJS, a full stack React framework that is often called 'Ruby on Rails for React'.
Step aside resolvers: a new approach to GraphQL execution
GraphQL Galaxy 2022GraphQL Galaxy 2022
16 min
Step aside resolvers: a new approach to GraphQL execution
Though GraphQL is declarative, resolvers operate field-by-field, layer-by-layer, often resulting in unnecessary work for your business logic even when using techniques such as DataLoader. In this talk, Benjie will introduce his vision for a new general-purpose GraphQL execution strategy whose holistic approach could lead to significant efficiency and scalability gains for all GraphQL APIs.