With StackHawk, engineering teams can run security tests against JS applications and the backing APIs to find and fix vulnerabilities before they hit production. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder Ryan Severns for a quick overview of JS application security testing with StackHawk.
Video Summary and Transcription
Stackhawk is an application security tool that focuses on dynamic application and API security testing. It is built on top of the open source ZAP project and designed for automation in CICD. Stackhawk provides a comprehensive set of tools for application security testing and bug fixing, including viewing findings, recreating requests, and easily fixing vulnerabilities. It allows for triaging findings and integrating with other engineering stacks. Visit stackhawk.com to sign up for a free account and learn more at docs.stackhawk.com.
Available in Español
1. Introduction to Stackhawk
Short description:
Stackhawk is an application security tool built for finding, triaging, and fixing application security bugs. It focuses on dynamic application and API security testing, looking for exploitable open source vulnerabilities and vulnerabilities introduced by the application. Stackhawk is built on top of the open source ZAP project and is designed for automation in CICD. It allows you to scan your application using a YAML configuration file and a Docker scanner. The scans can be run anywhere, including locally or in a production environment. Stackhawk is highly performant, providing results quickly, and allows you to triage and fix any findings.
Hey there, TestJS. My name is Ryan Severance. I'm one of the founders of Stackhawk. We're an application security tool built to make it simple for developers to find, triage, and fix application security bugs.
We built this company because we know that software is being shipped to production faster than ever before, and application security tooling needs to be able to keep up with the pace of modern software development. So let me tell you a little bit about Stackhawk.
Stackhawk is a dynamic application and API security testing tool. So we run active security tests against your running application. You may be familiar with tools that look for open source vulnerabilities. Vulnerabilities in the open source libraries that you're using. We're huge fans of those tools. That's a little different than what we do. We look at the application. So we do find any exploitable open source vulnerabilities, and we also find anything that you or your team may have added into the application that is creating a vulnerability. We are built on top of the open source ZAP project. And ultimately, we are built for automation in CICD.
So we're big believers in running a security test in the pipeline, find and fix vulnerabilities before they hit production. And we make that really simple. So here's how it works. You start with scanning your application. You have a YAML based configuration file and a Docker based scanner. It allows you to run the scans anywhere. You can run it locally, run it in CICD, you can point it at your production environment and run the scan. And it crawls the app. We pull in OpenAPI spec, GraphQL, introspection endpoint. Ultimately, we were built for scanning modern applications and hit both the application and the underlying APIs. And then ultimately, we're very focused on performance app tech testing. So if you've used any of these tools in the past, some of the legacy tools, the scan times are measured in hours, not minutes. And so we are big believers in being very performant. Then once you've run a scan, take a look at any findings and triage and fix those findings.
2. Stackhawk Features and Integration
Short description:
Stackhawk provides a comprehensive set of tools for application security testing and bug fixing. It offers features such as viewing findings, recreating requests, and easily fixing vulnerabilities. Stackhawk also allows for triaging findings and integrating with other engineering stacks. Visit stackhawk.com to sign up for a free account and learn more at docs.stackhawk.com.
So when you take a look at a finding, shows the the path that it was found on, you see the request that was sent in to the application, what the response was, giving evidence of the finding.
We have a button to create a curl command to go recreate that same request. It makes it really simple to step through the code, figure out where you might be mishandling something, and just drastically shortens the time to fix things.
A lot of application security findings are not that difficult to fix. It's just a matter of knowing where they are, being given the tools to go fix them. We have fixed documentation linked in the application as well. We make it really easy if there is a finding to fix it, get back to building the features that you're working on.
We also have a triage feature so that you can mark a finding as risk accepted, take a look at it, it's just not something that's worth fixing. Or maybe you've sent it to Jira, it's prioritized with your other engineering work. The scanner will still find it but it's not going to break the build, not going to be noisy. It allows you to manage how you want to deal with the security findings that do pop up.
And ultimately we're big believers in making it simple to integrate with the rest of your engineering stack. So we have lots of integrations and makes that simple.
So that's Stackhawk in a quick nutshell, would love for you to come check us out. You can sign up for a free account at stackhawk.com, you can check out our docs to learn a little bit more, that's docs.stackhawk.com. And feel free to reach out if you have any questions.
