Log in

Security Testing for JS Apps

From:
TestJS Summit
TestJS Summit - January, 2021
Rate this content
Bookmark

With StackHawk, engineering teams can run security tests against JS applications and the backing APIs to find and fix vulnerabilities before they hit production. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder Ryan Severns for a quick overview of JS application security testing with StackHawk.

testingsecurity testing
5 min
15 Jun, 2021

Comments

Sign in or register to post your comment.

AI Generated Video Summary

Stackhawk is an application security tool that focuses on dynamic application and API security testing. It is built on top of the open source ZAP project and designed for automation in CICD. Stackhawk provides a comprehensive set of tools for application security testing and bug fixing, including viewing findings, recreating requests, and easily fixing vulnerabilities. It allows for triaging findings and integrating with other engineering stacks. Visit stackhawk.com to sign up for a free account and learn more at docs.stackhawk.com.

1. Introduction to Stackhawk

Short description:

Stackhawk is an application security tool built for finding, triaging, and fixing application security bugs. It focuses on dynamic application and API security testing, looking for exploitable open source vulnerabilities and vulnerabilities introduced by the application. Stackhawk is built on top of the open source ZAP project and is designed for automation in CICD. It allows you to scan your application using a YAML configuration file and a Docker scanner. The scans can be run anywhere, including locally or in a production environment. Stackhawk is highly performant, providing results quickly, and allows you to triage and fix any findings.

Hey there, TestJS. My name is Ryan Severance. I'm one of the founders of Stackhawk. We're an application security tool built to make it simple for developers to find, triage, and fix application security bugs.

We built this company because we know that software is being shipped to production faster than ever before, and application security tooling needs to be able to keep up with the pace of modern software development. So let me tell you a little bit about Stackhawk.

Stackhawk is a dynamic application and API security testing tool. So we run active security tests against your running application. You may be familiar with tools that look for open source vulnerabilities. Vulnerabilities in the open source libraries that you're using. We're huge fans of those tools. That's a little different than what we do. We look at the application. So we do find any exploitable open source vulnerabilities, and we also find anything that you or your team may have added into the application that is creating a vulnerability. We are built on top of the open source ZAP project. And ultimately, we are built for automation in CICD.

So we're big believers in running a security test in the pipeline, find and fix vulnerabilities before they hit production. And we make that really simple. So here's how it works. You start with scanning your application. You have a YAML based configuration file and a Docker based scanner. It allows you to run the scans anywhere. You can run it locally, run it in CICD, you can point it at your production environment and run the scan. And it crawls the app. We pull in OpenAPI spec, GraphQL, introspection endpoint. Ultimately, we were built for scanning modern applications and hit both the application and the underlying APIs. And then ultimately, we're very focused on performance app tech testing. So if you've used any of these tools in the past, some of the legacy tools, the scan times are measured in hours, not minutes. And so we are big believers in being very performant. Then once you've run a scan, take a look at any findings and triage and fix those findings.

2. Stackhawk Features and Integration

Short description:

Stackhawk provides a comprehensive set of tools for application security testing and bug fixing. It offers features such as viewing findings, recreating requests, and easily fixing vulnerabilities. Stackhawk also allows for triaging findings and integrating with other engineering stacks. Visit stackhawk.com to sign up for a free account and learn more at docs.stackhawk.com.

So when you take a look at a finding, shows the the path that it was found on, you see the request that was sent in to the application, what the response was, giving evidence of the finding.

We have a button to create a curl command to go recreate that same request. It makes it really simple to step through the code, figure out where you might be mishandling something, and just drastically shortens the time to fix things.

A lot of application security findings are not that difficult to fix. It's just a matter of knowing where they are, being given the tools to go fix them. We have fixed documentation linked in the application as well. We make it really easy if there is a finding to fix it, get back to building the features that you're working on.

We also have a triage feature so that you can mark a finding as risk accepted, take a look at it, it's just not something that's worth fixing. Or maybe you've sent it to Jira, it's prioritized with your other engineering work. The scanner will still find it but it's not going to break the build, not going to be noisy. It allows you to manage how you want to deal with the security findings that do pop up.

And ultimately we're big believers in making it simple to integrate with the rest of your engineering stack. So we have lots of integrations and makes that simple.

So that's Stackhawk in a quick nutshell, would love for you to come check us out. You can sign up for a free account at stackhawk.com, you can check out our docs to learn a little bit more, that's docs.stackhawk.com. And feel free to reach out if you have any questions.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

TestJS Summit 2021TestJS Summit 2021
33 min
Network Requests with Cypress
Whether you're testing your UI or API, Cypress gives you all the tools needed to work with and manage network requests. This intermediate-level task demonstrates how to use the cy.request and cy.intercept commands to execute, spy on, and stub network requests while testing your application in the browser. Learn how the commands work as well as use cases for each, including best practices for testing and mocking your network requests.
testingcypress
TestJS Summit 2021TestJS Summit 2021
38 min
Testing Pyramid Makes Little Sense, What We Can Use Instead
Featured Video
The testing pyramid - the canonical shape of tests that defined what types of tests we need to write to make sure the app works - is ... obsolete. In this presentation, Roman Sandler and Gleb Bahmutov argue what the testing shape works better for today's web applications.


testing
TestJS Summit 2021TestJS Summit 2021
31 min
Test Effective Development
Developers want to sleep tight knowing they didn't break production. Companies want to be efficient in order to meet their customer needs faster and to gain competitive advantage sooner. We ALL want to be cost effective... or shall I say... TEST EFFECTIVE!
But how do we do that?
Are the "unit" and "integration" terminology serves us right?
Or is it time for a change? When should we use either strategy to maximize our "test effectiveness"?
In this talk I'll show you a brand new way to think about cost effective testing with new strategies and new testing terms!
It’s time to go DEEPER!


testingunit testing
TestJS Summit 2022TestJS Summit 2022
27 min
Full-Circle Testing With Cypress
Cypress has taken the world by storm by brining an easy to use tool for end to end testing. It’s capabilities have proven to be be useful for creating stable tests for frontend applications. But end to end testing is just a small part of testing efforts. What about your API? What about your components? Well, in my talk I would like to show you how we can start with end-to-end tests, go deeper with component testing and then move up to testing our API, circ
testingcypresse2e testing
TestJS Summit 2021TestJS Summit 2021
36 min
Effective Performance Testing to your Server with Autocannon
Performance testing expertise that is developed for a long time. In order to measure your server performance you need a tool that can efficiently simulate a lot of abilities and give you good measurements according your analysing criteria.
Autocannon NPM library gave me exactly that - that library is super easy to install and has a very simple API to work with. Within a really short amount of time you can start do performance testing to your application and get good measurements in development environment and in your performance labs, and generate complicated testing scenarios.
In this talk I will introduce Autocannon, explain how to efficiently analyse your server performance with it, and show how it helped me to understand complicated performance issues in my Node.js servers. At the end of this lecture, developers will be able to have the ability to integrate a fast and easy tool in order to measure your server performance.
performancetestingautomation

Workshops on related topic

React Summit 2023React Summit 2023
151 min
Designing Effective Tests With React Testing Library
Featured Workshop
React Testing Library is a great framework for React component tests because there are a lot of questions it answers for you, so you don’t need to worry about those questions. But that doesn’t mean testing is easy. There are still a lot of questions you have to figure out for yourself: How many component tests should you write vs end-to-end tests or lower-level unit tests? How can you test a certain line of code that is tricky to test? And what in the world are you supposed to do about that persistent act() warning?
In this three-hour workshop we’ll introduce React Testing Library along with a mental model for how to think about designing your component tests. This mental model will help you see how to test each bit of logic, whether or not to mock dependencies, and will help improve the design of your components. You’ll walk away with the tools, techniques, and principles you need to implement low-cost, high-value component tests.
Table of contents
- The different kinds of React application tests, and where component tests fit in
- A mental model for thinking about the inputs and outputs of the components you test
- Options for selecting DOM elements to verify and interact with them
- The value of mocks and why they shouldn’t be avoided
- The challenges with asynchrony in RTL tests and how to handle them
Prerequisites
- Familiarity with building applications with React
- Basic experience writing automated tests with Jest or another unit testing framework
- You do not need any experience with React Testing Library
- Machine setup: Node LTS, Yarn
reacttestingbest practicesdeep dive
TestJS Summit 2022TestJS Summit 2022
146 min
How to Start With Cypress
Featured WorkshopFree
The web has evolved. Finally, testing has also. Cypress is a modern testing tool that answers the testing needs of modern web applications. It has been gaining a lot of traction in the last couple of years, gaining worldwide popularity. If you have been waiting to learn Cypress, wait no more! Filip Hric will guide you through the first steps on how to start using Cypress and set up a project on your own. The good news is, learning Cypress is incredibly easy. You'll write your first test in no time, and then you'll discover how to write a full end-to-end test for a modern web application. You'll learn the core concepts like retry-ability. Discover how to work and interact with your application and learn how to combine API and UI tests. Throughout this whole workshop, we will write code and do practical exercises. You will leave with a hands-on experience that you can translate to your own project.
testingcypress
React Summit 2022React Summit 2022
117 min
Detox 101: How to write stable end-to-end tests for your React Native application
WorkshopFree
Compared to unit testing, end-to-end testing aims to interact with your application just like a real user. And as we all know it can be pretty challenging. Especially when we talk about Mobile applications.
Tests rely on many conditions and are considered to be slow and flaky. On the other hand - end-to-end tests can give the greatest confidence that your app is working. And if done right - can become an amazing tool for boosting developer velocity.
Detox is a gray-box end-to-end testing framework for mobile apps. Developed by Wix to solve the problem of slowness and flakiness and
used by React Native itself
as its E2E testing tool.
Join me on this workshop to learn how to make your mobile end-to-end tests with Detox rock.
Prerequisites
- iOS/Android: MacOS Catalina or newer
- Android only: Linux
-
Install before the workshop
testingreact nativee2e testingbeginner friendly
TestJS Summit - January, 2021TestJS Summit - January, 2021
173 min
Testing Web Applications Using Cypress
WorkshopFree
This workshop will teach you the basics of writing useful end-to-end tests using Cypress Test Runner.
We will cover writing tests, covering every application feature, structuring tests, intercepting network requests, and setting up the backend data.
Anyone who knows JavaScript programming language and has NPM installed would be able to follow along.


testingjavascriptcypresse2e testing
TestJS Summit 2021TestJS Summit 2021
85 min
Automated accessibility testing with jest-axe and Lighthouse CI
Workshop
Do your automated tests include a11y checks? This workshop will cover how to get started with jest-axe to detect code-based accessibility violations, and Lighthouse CI to validate the accessibility of fully rendered pages. No amount of automated tests can replace manual accessibility testing, but these checks will make sure that your manual testers aren't doing more work than they need to.


testingaccessibilityautomationautomated security
React Advanced Conference 2023React Advanced Conference 2023
159 min
Effective Detox Testing
Workshop
So you’ve gotten Detox set up to test your React Native application. Good work! But you aren’t done yet: there are still a lot of questions you need to answer. How many tests do you write? When and where do you run them? How do you ensure there is test data available? What do you do about parts of your app that use mobile APIs that are difficult to automate? You could sink a lot of effort into these things—is the payoff worth it?
In this three-hour workshop we’ll address these questions by discussing how to integrate Detox into your development workflow. You’ll walk away with the skills and information you need to make Detox testing a natural and productive part of day-to-day development.
Table of contents:
- Deciding what to test with Detox vs React Native Testing Library vs manual testing
- Setting up a fake API layer for testing
- Getting Detox running on CI on GitHub Actions for free
- Deciding how much of your app to test with Detox: a sliding scale
- Fitting Detox into you local development workflow
Prerequisites
- Familiarity with building applications with React Native
- Basic experience with Detox
- Machine setup: a working React Native CLI development environment including either Xcode or Android Studio
testingreact native