Security Testing for GraphQL Backed Applications

Hey there, Node Congress. I'm Ryan Severance, one of the founders of StackHawk. At StackHawk, it's simple for developers to find and triage and fix application security bugs. I'm going to tell you a little bit more about what we do today.

So StackHawk in a nutshell, we do application and API security testing. We're built for automation in CI, CD. Ultimately, we make it really easy to find and fix any application security vulnerabilities. So let's say you're building a new feature and your team's working on it. And somebody introduces a new endpoint that perhaps has a SQL injection vulnerability, exposes sensitive data from the backend that a malicious attacker could access. What would happen traditionally, traditional approaches that might not be discovered until weeks, months later, and maybe a pen test or a security team review.

With StackHawk, when you open the pull request or even on the commit, depending on how you have it configured in CICD, a scan will run. It's a test against the application and it looks for any of these sort of vulnerabilities. It would notify you that a SQL injection vulnerability has been found. And then it tees the team up with all of the information to hop in there and fix it. So you find any bugs early, and it makes it really simple to fix them. Let me tell you a little bit about how it works behind the scenes. So we're built on top of an open source scanner. It's called ZAP, Z-A proxy.org. So it's an industry standard in terms of one of the best dynamic application security testing tools out there. We make it really easy to configure and to run anywhere, make it simple to automate. With StackHawk, you can scan modern applications, server side HTML, single page applications, rest APIs, GraphQL, and ultimately it's just really fast automated application security testing.

So let's say test runs, maybe you get notified from a broken build that there is a new vulnerability that's been introduced. Can hop into the StackHawk web app, and you have the request that was sent to the application, the response that was returned with a highlighting of the evidence that shows that it's a vulnerability. There's a validate button that you can click on, to go recreate that same request, and step through the code in debug mode, figure out where you're mishandling information, and ultimately get to a fix really quickly. We also have overviews of what the bug is, documentation on how to fix it. There's also triage features. So let's say you get notified about something, but it's low risk, it shouldn't block the push to production. You can mark it as either risk accepted, or maybe you put it in your JIRA backlog, and the scanner respects that. So the next time it runs, it's only looking for newly introduced vulnerabilities. Stackhawk integrates really easily with the rest of your engineering stack. We're big believers in tying into the modern developer workflows and making security easy to approach for engineering teams.

So that's a quick overview of Stackhawk. We'd love for you to come check us out. Come by the website, sign up for a free account, and make sure to check out the giveaway that we have going on for Node Congress. Everybody gets a t-shirt and you're also entered to win a Nintendo Switch. That's all. Thanks so much. Bye.