Security Testing for JS Apps

Hey there, TestJS. My name is Ryan Severance. I'm one of the founders of StackHawk.

We're an application security tool built to make it simple for developers to find, triage, and fix application security bugs. We built this company because we know that software is being shipped to production faster than ever before, and application security tooling needs to be able to keep up with the pace of modern software development.

So let me tell you a little bit about StackHawk. StackHawk is a dynamic application and api security testing tool. So we run active security tests against your running application. You may be familiar with tools that look for open source vulnerabilities, vulnerabilities in the open source libraries that you're using. We're huge fans of those tools. That's a little different than what we do. We look at the application so we do find any exploitable open source vulnerabilities. We also find anything that you or your team may have added into the application that is creating a vulnerability. We are built on top of the open source ZAP project. And ultimately we are built for automation in CICD. So we're big believers in running a security test in the pipeline, find and fix vulnerabilities before they hit production. And we make that really simple. So here's how it works. You start with scanning your application. You have a YAML-based configuration file and a Docker-based scanner. It allows you to run the scans anywhere. You can run it locally, run it in CICD. You can point it at your production environment and run the scan. And it crawls the app. We pull in open api spec, graphql, introspection endpoint.

Ultimately we're built for scanning modern applications and hit both the application and the underlying APIs. And then ultimately we're very focused on performant AppSec testing. So if you've used any of these tools in the past, some of the legacy tools, the scan times are measured in hours, not minutes. And so we are big believers in being very performant. Then once you've run a scan, take a look at any findings and triage and fix those findings. So when you take a look at a finding, it shows the path that it was found on. You see the request that was sent in to the application, what the response was, giving evidence of the finding. We have a button to create a curl command to go recreate that same request. So it makes it really simple to step through the code, figure out where you might be mishandling something and just drastically shortens the time to fix things. A lot of application security findings are not that difficult to fix. It's just a matter of knowing where they are, being given the tools to go fix them. We have fixed documentation linked in the application as well. So we make it really easy if there is a finding to fix it, get back to building the features that you're working on. We also have a triage feature so that you can mark a finding as risk accepted, take a look at it, it's just not something that's worth fixing. Or maybe you've sent it to JIRA, it's prioritized with your other engineering work. The scanner will still find it, but it's not going to break the build, not going to be noisy. It allows you to manage how you want to deal with the security findings that do pop up. And ultimately we're big believers in making it simple to integrate with the rest of your engineering stack. So we have lots of integrations and makes that simple. So that's StackHawk in a quick nutshell. Would love for you to come check us out. You can sign up for a free account at stackhawk.com. You can check out our docs to learn a little bit more. That's docs.stackhawk.com. And feel free to reach out if you have any questions.

Thanks so much. Thanks for watching. My name is Jared Sanford. I'm from the United States. I teach English here in Shanghai. I used to teach English in India. I've been living abroad for about three years. I've lived in India for about two years. I've lived in Shanghai for about one year. My favorite language is Chinese, I guess. I like Chinese a lot, now. I like it because it's very different from English. I'm not really sure. I have no idea. I think so. I think I'm pretty good. I think I'm pretty good. I don't know. I think it's a good question. I don't know. I don't know. I think so.