Security Testing for GraphQL Backed Applications

Rate this content
Bookmark
5 min
24 Jun, 2021

AI Generated Video Summary

StackHawk is an automated application and API security testing tool that integrates with CI/CD. It uses the ZAP scanner and supports various types of applications and APIs. StackHawk provides detailed vulnerability information and triage features to manage low-risk issues. The tool aims to seamlessly integrate into engineering workflows and make security accessible for teams.

1. Overview of StackHawk

Short description:

StackHawk provides automated application and API security testing, making it easy to find and fix vulnerabilities. It integrates with CI/CD, running scans on pull requests or commits. The tool uses the ZAP scanner and supports various types of applications and APIs. When a vulnerability is found, StackHawk provides detailed information and allows for easy debugging and fixing. It also offers triage features to manage low-risk issues. StackHawk aims to integrate seamlessly into engineering workflows and make security approachable for teams.

Hey there, Node Congress. I'm Ryan Severance, one of the founders of StackHawk. At StackHawk, it's simple for developers to find and triage and fix application security bugs. I'm going to tell you a little bit more about what we do today.

So StackHawk in a nutshell, we do application and API security testing. We're built for automation in CI, CD. Ultimately, we make it really easy to find and fix any application security vulnerabilities. So let's say you're building a new feature and your team's working on it. And somebody introduces a new endpoint that perhaps has a SQL injection vulnerability, exposes sensitive data from the backend that a malicious attacker could access. What would happen traditionally, traditional approaches that might not be discovered until weeks, months later, and maybe a pen test or a security team review.

With StackHawk, when you open the pull request or even on the commit, depending on how you have it configured in CICD, a scan will run. It's a test against the application and it looks for any of these sort of vulnerabilities. It would notify you that a SQL injection vulnerability has been found. And then it tees the team up with all of the information to hop in there and fix it. So you find any bugs early, and it makes it really simple to fix them. Let me tell you a little bit about how it works behind the scenes. So we're built on top of an open source scanner. It's called ZAP, Z-A proxy.org. So it's an industry standard in terms of one of the best dynamic application security testing tools out there. We make it really easy to configure and to run anywhere, make it simple to automate. With StackHawk, you can scan modern applications, server side HTML, single page applications, rest APIs, GraphQL, and ultimately it's just really fast automated application security testing.

So let's say test runs, maybe you get notified from a broken build that there is a new vulnerability that's been introduced. Can hop into the StackHawk web app, and you have the request that was sent to the application, the response that was returned with a highlighting of the evidence that shows that it's a vulnerability. There's a validate button that you can click on, to go recreate that same request, and step through the code in debug mode, figure out where you're mishandling information, and ultimately get to a fix really quickly. We also have overviews of what the bug is, documentation on how to fix it. There's also triage features. So let's say you get notified about something, but it's low risk, it shouldn't block the push to production. You can mark it as either risk accepted, or maybe you put it in your JIRA backlog, and the scanner respects that. So the next time it runs, it's only looking for newly introduced vulnerabilities. Stackhawk integrates really easily with the rest of your engineering stack. We're big believers in tying into the modern developer workflows and making security easy to approach for engineering teams.

So that's a quick overview of Stackhawk. We'd love for you to come check us out. Come by the website, sign up for a free account, and make sure to check out the giveaway that we have going on for Node Congress. Everybody gets a t-shirt and you're also entered to win a Nintendo Switch. That's all. Thanks so much. Bye.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.
You can check the slides for Feross' talk here.
Node Congress 2022Node Congress 2022
34 min
Out of the Box Node.js Diagnostics
In the early years of Node.js, diagnostics and debugging were considerable pain points. Modern versions of Node have improved considerably in these areas. Features like async stack traces, heap snapshots, and CPU profiling no longer require third party modules or modifications to application source code. This talk explores the various diagnostic features that have recently been built into Node.
You can check the slides for Colin's talk here. 
JSNation 2023JSNation 2023
22 min
ESM Loaders: Enhancing Module Loading in Node.js
Native ESM support for Node.js was a chance for the Node.js project to release official support for enhancing the module loading experience, to enable use cases such as on the fly transpilation, module stubbing, support for loading modules from HTTP, and monitoring.
While CommonJS has support for all this, it was never officially supported and was done by hacking into the Node.js runtime code. ESM has fixed all this. We will look at the architecture of ESM loading in Node.js, and discuss the loader API that supports enhancing it. We will also look into advanced features such as loader chaining and off thread execution.
JSNation Live 2021JSNation Live 2021
19 min
Multithreaded Logging with Pino
Almost every developer thinks that adding one more log line would not decrease the performance of their server... until logging becomes the biggest bottleneck for their systems! We created one of the fastest JSON loggers for Node.js: pino. One of our key decisions was to remove all "transport" to another process (or infrastructure): it reduced both CPU and memory consumption, removing any bottleneck from logging. However, this created friction and lowered the developer experience of using Pino and in-process transports is the most asked feature our user.In the upcoming version 7, we will solve this problem and increase throughput at the same time: we are introducing pino.transport() to start a worker thread that you can use to transfer your logs safely to other destinations, without sacrificing neither performance nor the developer experience.

Workshops on related topic

TestJS Summit 2023TestJS Summit 2023
48 min
API Testing with Postman Workshop
WorkshopFree
In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman.
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.
Node Congress 2023Node Congress 2023
109 min
Node.js Masterclass
Workshop
Have you ever struggled with designing and structuring your Node.js applications? Building applications that are well organised, testable and extendable is not always easy. It can often turn out to be a lot more complicated than you expect it to be. In this live event Matteo will show you how he builds Node.js applications from scratch. You’ll learn how he approaches application design, and the philosophies that he applies to create modular, maintainable and effective applications.

Level: intermediate
Node Congress 2023Node Congress 2023
63 min
0 to Auth in an Hour Using NodeJS SDK
WorkshopFree
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool.
We will enhance a full-stack JS application (Node.JS backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session for subsequent client requests, validating / refreshing sessions
At the end of the workshop, we will also touch on another approach to code authentication using frontend Descope Flows (drag-and-drop workflows), while keeping only session validation in the backend. With this, we will also show how easy it is to enable biometrics and other passwordless authentication methods.
Table of contents- A quick intro to core authentication concepts- Coding- Why passwordless matters
Prerequisites- IDE for your choice- Node 18 or higher
JSNation 2023JSNation 2023
104 min
Build and Deploy a Backend With Fastify & Platformatic
WorkshopFree
Platformatic allows you to rapidly develop GraphQL and REST APIs with minimal effort. The best part is that it also allows you to unleash the full potential of Node.js and Fastify whenever you need to. You can fully customise a Platformatic application by writing your own additional features and plugins. In the workshop, we’ll cover both our Open Source modules and our Cloud offering:- Platformatic OSS (open-source software) — Tools and libraries for rapidly building robust applications with Node.js (https://oss.platformatic.dev/).- Platformatic Cloud (currently in beta) — Our hosting platform that includes features such as preview apps, built-in metrics and integration with your Git flow (https://platformatic.dev/). 
In this workshop you'll learn how to develop APIs with Fastify and deploy them to the Platformatic Cloud.
JSNation Live 2021JSNation Live 2021
156 min
Building a Hyper Fast Web Server with Deno
WorkshopFree
Deno 1.9 introduced a new web server API that takes advantage of Hyper, a fast and correct HTTP implementation for Rust. Using this API instead of the std/http implementation increases performance and provides support for HTTP2. In this workshop, learn how to create a web server utilizing Hyper under the hood and boost the performance for your web apps.
TestJS Summit 2023TestJS Summit 2023
89 min
Building out a meaningful test suite that's not all E2E
Workshop
We're all taught to follow the Testing Pyramid but the reality is that we build out the Testing Christmas Tree. In this workshop, David will talk you through how to break down projects and put the tests where they need to be. By the end of the workshop you will be able to update your projects so that anyone and everyone can start contributing and truly living up to "Quality is everyone job".
He will walk you through:- Component Testing- API Testing- Visual Regression Testing- A11Y testing
He will also talk you through how to get these all setup in your CI/CD pipeline so that you can get shorter and faster feedback loops.