Modern GraphQL API Security Testing

What's up, graphql Galaxy? I'm Scott Gerlach, CSO and co-founder at StackHawk. Thanks for taking time to check out StackHawk, and I hope you're learning a ton of new things at graphql Galaxy 2022. Hopefully I can teach you one more. At StackHawk, we do application security testing, specifically dynamic application security testing, or DAST. Let's talk about the benefits of DAST. DAST can help you prioritize your time on what to fix in application security issues because it helps identify what's discoverable and likely exploitable because it's testing the running graphql api. This is the superpower of DAST. Where should I focus my time fixing api security issues? You might be thinking to yourself, but frameworks have basically prevented any of the common app sec problems from happening. And yes, many frameworks have done a good job preventing issues like SQL injection and cross-site scripting. Almost all of them have an unsafe version of all of those protection mechanisms to help you do complicated things and unfortunately make mistakes. Not to mention things like tenancy filtering and function authorization can be hard to get right. Some people don't know about DAST and those that do may have run into problems with DAST. Let's look at an example. So here we are back in the good old days of legacy DAST. And when we built server-side applications that ran the data and presentation layers, everything was fine and dandy. The legacy DAST scanner could scan and test the legacy application without many problems. You get good results and identify some serious app sec bugs. And then something changed. Then we started building javascript frontends. And the javascript frontend really trolled that legacy DAST scanner. When I say trolled the legacy DAST scanner, I meant really troll it. Like when does the page scroll end? It never does. Where are all the forms? Well it hasn't rendered yet because your mouse isn't in this exact pixel. Legacy DAST was running along its happy way, totally assuming it was getting all the info it needed to test these new applications. Results were terrible, scans took forever, false positive for days, etc.

And the worst part is it never realized there was someone else in that backseat as well. Our backing APIs are in there controlling all the data and talking to datastore backends, helping to render elements on the page. And the legacy DAST scanner thinks the frontend is passing all these requests to the backend. Do we end up even testing the api here? Are we covering all of it? Are we even making simple requests to the api at all? Well because of javascript frontends, it sort of depends. It depends on the browser and the browser emulator that the legacy DAST tool is using and how well it's driving that browser. You can think of this like Selenium scripts, but instead of a specific set of functions, you're executing it to find all the possible user input paths by itself and hoping it's going to do a really good job. Even Google doesn't do this well. So how can we get back to better application security, api security testing? Better results, faster, more accurate scans, better coverage, especially around this data layer where all the assets that we're protecting are being stored. By driving this api directly using industry standards like graphql introspection, you can have direct access to the api, understand what it does and the data it's controlling to get fast, thorough, accurate api security testing results. Not to mention now you can test microservices as you're building them and find these application api security bugs before they ever get shipped to production. There's still good stuff to find by testing their frontend, cookie settings, DOM xss, lots of different headers, but starting where the data is held is a better idea. What are some of the keys to look for in dynamic AppSec testing tool that will help you test APIs directly? This is where StackHawk comes in. StackHawk runs active security tests against your running api to ensure your application is handling user input and output in a safe manner, as well as implementing OWASP top 10 api best practices for api security. We do this against your running application on your local host in CICD and against applications that have yet to be published on the internet. We also made dynamic testing fast by placing the scanner as close to the application as possible and using open standards to inform the scanner like graphql introspection queries. Not only do we make run anywhere testing possible, we've also enabled real data in testing. So providing real data to drive the api, whether that's made up with faker libraries or provided directly through the configuration. Using real data is important to be able to test accurately graphql APIs. Running custom tests is no problem for StackHawk. testing for things like broken access control or insecure direct object access, those are some of the top two OWASP api security issues and you can write custom tests with StackHawk. Again, build to test modern applications, including graphql, using graphql interfaces, presenting data in a graphql format, makes testing graphql, reproducing failure scenarios and fixing api security issues with StackHawk very easy. Our focus as a company is to help developers find and most importantly, fixing security issues. The StackHawk scanner and the platform were built around this simplicity model. When StackHawk finds an api security issue in your application, the platform is trying to give you the simplest version of the information needed to help you quickly understand what this problem is with simple descriptions and examples of patterns to help identify the anti-pattern. Being able to recreate issues with simple tools like curl to replay the attack, get into debug and stepping through code as fast as possible to help you fix issues and get back to your regular job of creating value for your customers.

All of this is CICD enabled. Again, you can integrate this into your CI process and importantly, get feedback in the CI process on scan findings. This information can be used to break a build if you choose based on the severity of untriaged findings. Most of the major CI players logos are on this slide. As long as you can run Docker or a Java process in your CI system, you can run StackHawk. And here's maybe the most important part. You can run these same appsec tests locally. If you're developing an api on your local machine, you can test for api security issues while you're writing code. You can identify the problem, fix it and validate that you've fixed it before you push your code back into CICD pipeline. I hope you enjoyed my talk today and perhaps you learned something new about how StackHawk can be integrated into your graphql api development process. If you'd like to check out StackHawk and see how it can integrate into your development process to keep pushing the limits on software development quality, come check us out at stackhawk.com. Thanks for watching and enjoy graphql Galaxy 2022.