Security Testing for GraphQL Backed Applications

5 min
24 Jun, 2021


Sign in or register to post your comment.

AI Generated Video Summary

StackHawk is an automated application and API security testing tool that integrates with CI/CD. It uses the ZAP scanner and supports various types of applications and APIs. StackHawk provides detailed vulnerability information and triage features to manage low-risk issues. The tool aims to seamlessly integrate into engineering workflows and make security accessible for teams.

1. Overview of StackHawk

Short description:

StackHawk provides automated application and API security testing, making it easy to find and fix vulnerabilities. It integrates with CI/CD, running scans on pull requests or commits. The tool uses the ZAP scanner and supports various types of applications and APIs. When a vulnerability is found, StackHawk provides detailed information and allows for easy debugging and fixing. It also offers triage features to manage low-risk issues. StackHawk aims to integrate seamlessly into engineering workflows and make security approachable for teams.

Hey there, Node Congress. I'm Ryan Severance, one of the founders of StackHawk. At StackHawk, it's simple for developers to find and triage and fix application security bugs. I'm going to tell you a little bit more about what we do today.

So StackHawk in a nutshell, we do application and API security testing. We're built for automation in CI, CD. Ultimately, we make it really easy to find and fix any application security vulnerabilities. So let's say you're building a new feature and your team's working on it. And somebody introduces a new endpoint that perhaps has a SQL injection vulnerability, exposes sensitive data from the backend that a malicious attacker could access. What would happen traditionally, traditional approaches that might not be discovered until weeks, months later, and maybe a pen test or a security team review.

With StackHawk, when you open the pull request or even on the commit, depending on how you have it configured in CICD, a scan will run. It's a test against the application and it looks for any of these sort of vulnerabilities. It would notify you that a SQL injection vulnerability has been found. And then it tees the team up with all of the information to hop in there and fix it. So you find any bugs early, and it makes it really simple to fix them. Let me tell you a little bit about how it works behind the scenes. So we're built on top of an open source scanner. It's called ZAP, Z-A So it's an industry standard in terms of one of the best dynamic application security testing tools out there. We make it really easy to configure and to run anywhere, make it simple to automate. With StackHawk, you can scan modern applications, server side HTML, single page applications, rest APIs, GraphQL, and ultimately it's just really fast automated application security testing.

So let's say test runs, maybe you get notified from a broken build that there is a new vulnerability that's been introduced. Can hop into the StackHawk web app, and you have the request that was sent to the application, the response that was returned with a highlighting of the evidence that shows that it's a vulnerability. There's a validate button that you can click on, to go recreate that same request, and step through the code in debug mode, figure out where you're mishandling information, and ultimately get to a fix really quickly. We also have overviews of what the bug is, documentation on how to fix it. There's also triage features. So let's say you get notified about something, but it's low risk, it shouldn't block the push to production. You can mark it as either risk accepted, or maybe you put it in your JIRA backlog, and the scanner respects that. So the next time it runs, it's only looking for newly introduced vulnerabilities. Stackhawk integrates really easily with the rest of your engineering stack. We're big believers in tying into the modern developer workflows and making security easy to approach for engineering teams.

So that's a quick overview of Stackhawk. We'd love for you to come check us out. Come by the website, sign up for a free account, and make sure to check out the giveaway that we have going on for Node Congress. Everybody gets a t-shirt and you're also entered to win a Nintendo Switch. That's all. Thanks so much. Bye.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.
You can check the slides for Feross' talk

Node Congress 2022Node Congress 2022
34 min
Out of the Box Node.js Diagnostics
In the early years of Node.js, diagnostics and debugging were considerable pain points. Modern versions of Node have improved considerably in these areas. Features like async stack traces, heap snapshots, and CPU profiling no longer require third party modules or modifications to application source code. This talk explores the various diagnostic features that have recently been built into Node.
You can check the slides for Colin's talk

JSNation 2023JSNation 2023
22 min
ESM Loaders: Enhancing Module Loading in Node.js
Native ESM support for Node.js was a chance for the Node.js project to release official support for enhancing the module loading experience, to enable use cases such as on the fly transpilation, module stubbing, support for loading modules from HTTP, and monitoring.
While CommonJS has support for all this, it was never officially supported and was done by hacking into the Node.js runtime code. ESM has fixed all this. We will look at the architecture of ESM loading in Node.js, and discuss the loader API that supports enhancing it. We will also look into advanced features such as loader chaining and off thread execution.
JSNation Live 2021JSNation Live 2021
19 min
Multithreaded Logging with Pino
Almost every developer thinks that adding one more log line would not decrease the performance of their server... until logging becomes the biggest bottleneck for their systems! We created one of the fastest JSON loggers for Node.js: pino. One of our key decisions was to remove all "transport" to another process (or infrastructure): it reduced both CPU and memory consumption, removing any bottleneck from logging. However, this created friction and lowered the developer experience of using Pino and in-process transports is the most asked feature our user.
In the upcoming version 7, we will solve this problem and increase throughput at the same time: we are introducing pino.transport() to start a worker thread that you can use to transfer your logs safely to other destinations, without sacrificing neither performance nor the developer experience.

Workshops on related topic

Node Congress 2023Node Congress 2023
109 min
Node.js Masterclass
Have you ever struggled with designing and structuring your Node.js applications? Building applications that are well organised, testable and extendable is not always easy. It can often turn out to be a lot more complicated than you expect it to be. In this live event Matteo will show you how he builds Node.js applications from scratch. You’ll learn how he approaches application design, and the philosophies that he applies to create modular, maintainable and effective applications.
: intermediate
Node Congress 2023Node Congress 2023
63 min
0 to Auth in an Hour Using NodeJS SDK
Workshop Free
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool.
We will enhance a full-stack JS application (Node.JS backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:
- User authentication - Managing user interactions, returning session / refresh JWTs
- Session management and validation - Storing the session for subsequent client requests, validating / refreshing sessions
At the end of the workshop, we will also touch on another approach to code authentication using frontend Descope Flows (drag-and-drop workflows), while keeping only session validation in the backend. With this, we will also show how easy it is to enable biometrics and other passwordless authentication methods.
Table of contents
- A quick intro to core authentication concepts
- Coding
- Why passwordless matters
- IDE for your choice
- Node 18 or higher
JSNation Live 2021JSNation Live 2021
156 min
Building a Hyper Fast Web Server with Deno
Workshop Free
Deno 1.9 introduced a new web server API that takes advantage of Hyper, a fast and correct HTTP implementation for Rust. Using this API instead of the std/http implementation increases performance and provides support for HTTP2. In this workshop, learn how to create a web server utilizing Hyper under the hood and boost the performance for your web apps.

React Summit 2022React Summit 2022
165 min
GraphQL - From Zero to Hero in 3 hours
How to build a fullstack GraphQL application (Postgres + NestJs + React) in the shortest time possible.
All beginnings are hard. Even harder than choosing the technology is often developing a suitable architecture. Especially when it comes to GraphQL.
In this workshop, you will get a variety of best practices that you would normally have to work through over a number of projects - all in just three hours.
If you've always wanted to participate in a hackathon to get something up and running in the shortest amount of time - then take an active part in this workshop, and participate in the thought processes of the trainer.
JSNation 2023JSNation 2023
104 min
Build and Deploy a Backend With Fastify & Platformatic
Workshop Free
Platformatic allows you to rapidly develop GraphQL and REST APIs with minimal effort. The best part is that it also allows you to unleash the full potential of Node.js and Fastify whenever you need to. You can fully customise a Platformatic application by writing your own additional features and plugins. In the workshop, we’ll cover both our Open Source modules and our Cloud offering:
- Platformatic OSS (open-source software) — Tools and libraries for rapidly building robust applications with Node.js (
- Platformatic Cloud (currently in beta) — Our hosting platform that includes features such as preview apps, built-in metrics and integration with your Git flow ( 
In this workshop you'll learn how to develop APIs with Fastify and deploy them to the Platformatic Cloud.
Node Congress 2021Node Congress 2021
245 min
Building Serverless Applications on AWS with TypeScript
This workshop teaches you the basics of serverless application development with TypeScript. We'll start with a simple Lambda function, set up the project and the infrastructure-as-a-code (AWS CDK), and learn how to organize, test, and debug a more complex serverless application.
Table of contents:
        - How to set up a serverless project with TypeScript and CDK
        - How to write a testable Lambda function with hexagonal architecture
        - How to connect a function to a DynamoDB table
        - How to create a serverless API
        - How to debug and test a serverless function
        - How to organize and grow a serverless application
Materials referred to in the workshop:,HYgVepLIpfxrK4EQNclQ9w
DynamoDB blog Alex DeBrie:
Excellent book for the DynamoDB: