Lightning Talks QnA, Day 1, Node Congress
Wow, thank you everyone. We call it lightning talks, but you were on fire. Sorry for that joke. I don't see the speakers yet. Houston, where are my speakers? Where are the lightning talk speakers? I don't see anyone. Hello. Ah, there they are. Hey, everyone. Hey. Hey. Good to see you again. We're going to go to our audience questions. Hope you're all ready. The first question I have is for Chenmei. The question is, what can I do to get the most out of distributed tracing apart from what you mentioned in the talk? Yeah, good question. I would say there are two things that you can do apart from the things that I mentioned. One is essentially tagging everything. So you need to tag your traces with things such as user ID or event ID so that it helps you get context to the traces and the logs. And the second thing that you can do is actually capture the payload. So whenever you have an HTTP request coming in, you should capture the headers and the body of the request as well as the response. Okay. Thank you. Next question is for Anthony and Austin. What if I want to connect Retool to something that is not a native integration? I can take this one. Retool supports connecting to any REST API. So this could be an internal API. It could be if there isn't a database connection for, let's say, like InfluxDB, for example, you can use the InfluxDB API as a resource. Okay. Thank you. Question for Ryan. Do you test for GraphQL vulnerabilities as well? Yeah, we do. So what happens is the scanner will hit the introspection endpoint and build the graph and runs active if it's effectively fuzzing tests against all of the various query parameters and looks for any potential vulnerabilities in your GraphQL API. Nice. Next question is for Chinmay again. What type of integration should I be looking for or at when choosing an observability product? So I would kind of categorize integrations into four parts, alerts, environments, and frameworks as well as add-ons. So you need to see what kind of alert platforms you support. So for example, Slack or Jira, then you need to see the environments, AWS, Azure, then you need to see the frameworks such as Node.js or Python, and then finally add-ons such as debugging software such as Sentry or something like that. So all these four should be in your environment and you should look at those for selecting your observability solution. Okay, thank you. Another question for Anthony and Austin again. How do I set up Retool on prem? Yeah, that's a great question. So whenever you want to deploy Retool on prem, we have a Docker image you can pull down. Essentially Retool, there's like a stateless Retool container and with a Postgres that backs up any data about your users, permissions and things like that. So it's just a matter of running a few commands on a Docker image and you can pull it with Docker Compose, Kubernetes, Helm, etc. It's all prepared, download, install, and go. Exactly. Ryan, does StackHawk run tests against microservices also? It does. That's actually our recommended way of testing. So traditional application security testing is running against the application in production, which A, means any vulnerabilities that are found or live in production. And B, then if you find something, you have to go figure out where it lives. Scans take a long time. So it's just kind of this outdated model. So with StackHawk, it runs in CICD and you run against the individual underlying services, APIs, smallest units that you can. And it makes for really fast tests. And then if there is a finding, it's really easy to hone in on what needs to be fixed. Nice. Another question for you, Ryan. How would I fix a vulnerability if it was surfaced in StackHawk? Yeah. So when you have a finding within the StackHawk UI and it shows the overview of what that security bug is, if you're not familiar with it, links out to cheat sheets of how to fix it. But then within StackHawk, you have the request that was sent into the application, the response that received back with highlighted evidence of why it's a security bug. And then there's a curl command generator to go recreate that exact same request. So you can step through your code and debug what's going wrong. Okay, cool. That's nice. That's all the questions we have right now from our audience. So I guess we can wrap up for now. I want to thank you all for joining us and hope to see you again real soon in real life. Bye-bye.