Tools Used to Test and Detect Application Security Vulnerabilities

Pavan Belagatti - Feb 23 '23 - - Dev Community

Note: This article focuses on Node.js applications.

Please check my article on running simple automated tests for your Node.js application.

In this digital age, where everything is connected to the internet and data is everything, security becomes essential for any application, especially those built on Node.js. Node.js is a robust JavaScript-based runtime environment for developing web applications, APIs, and server-side applications. It is famous for its scalability and versatility, but it also comes with its own security risks that must be addressed. In this blog post, we will discuss the importance of application security for Node.js applications and provide a comprehensive guide on the various tools and strategies available for strengthening security.

Node.js and Application Security

Node.js is an open-source, cross-platform JavaScript runtime environment for developing web and server-side applications. It is used by millions of developers worldwide because of its scalability and versatility. It is also an ideal platform for developing real-time applications, such as chat applications or multiplayer games. However, like any other platform, Node.js has its own security risks. Therefore, it is essential to consider application security when developing Node.js applications. Application security protects applications from unauthorised access, data loss, data alteration, and malicious attacks. It is a continuous process that requires regular monitoring and updating of security measures.

Automating Security Tests in Node.js

Automating security tests is an essential part of ensuring that applications are secure. Automated security tests can help organizations identify and fix potential vulnerabilities in the application code. This can help organizations reduce the risk of data breaches and ensure compliance with industry regulations. To automate security tests in Node.js, organizations should use security tools that are specifically designed for Node.js applications. These tools can be used to scan code and identify potential vulnerabilities. They can also be used to run automated security tests regularly.

Prerequisites

Tutorial

Harness is a leading software delivery platform with a CI module that helps developers set up continuous integration and delivery pipeline quickly.

Sign up for the free Harness cloud account. Once you sign up and verify your account, you will be presented with a welcome message and project creation set-up. Proceed to create a project.
get started

Add the name to the project, save and continue.
project details

Select the ‘Continuous Integration’ module and start your free plan.
continuous integration module

You can start creating your first pipeline.
First pipeline

Click on ‘Get Started’ and connect your SCM tool/platform where the application code is present.
GitHub authentication

Once your SCM integration connection is successful, pick your repository and begin your pipeline configuration.
repo select

Since we are working with a Node.js application, let’s select Node.js and proceed to create the pipeline.
configure nodejs application

Once you click on ‘Create Pipeline’, you will see the pipeline studio as shown below with default settings.
build nodejs application

Click ‘Build Node App’ to see the pipeline configuration. You should see the following page.
pipeline studio Harness

If you click on the ‘Build Node App’ under the ‘Execution’ tab, you should see the ‘Run’ step configured for you by default.
configure run step

You can see node and npm commands in the ‘Command’ tab.
You can keep the mentioned commands or replace and add only the important ones.

We will just keep npm install and npm test

Apply changes, save the configuration and run the pipeline. You should see the tests passing.
run pipeline

successful pipeline

Now, let’s add more tests to your Node.js application to strengthen it, so it is all error-free before deploying it.
node security testing configuration

You can extend the security and vulnerability testing of your application by using the Harness security testing orchestration (STO) module.

In the execution tab, you can add a step and choose ‘Security’.
STO Harness

You can configure any security tool in the pipeline, such as Snyk, Bandit, OWASP, etc.

You can see that I have configured the OWASP, Snyk, Bandit and Aqua Trivy scan for my application.
security testing tools

After selecting the STO step, you need to add details of the security framework/tool you would like to use for your project.

For example, I have configured the Snyk test with the following details. Sign up for Snyk for free and get the SNYK_TOKEN to add in the details below.

The other details include,

policy_type = orchestratedScan
scan_type = repository
product_name = snyk
product_config_name = default
repository_project = Simple-Node-App [This is our project name from the forked repo]
repository_branch = <+codebase.branch>
SNYK_TOKEN = Add your snyk token here

snyk test

Apply changes and save the pipeline.

Similarly, configure the OWASP, Bandit and Aqua Trivy scan.
OWASP Scan

Below is the setting for the Bandit scan
Bandit scan

Below is the setting for the Aqua Trivy scan
aqua trivy scan

At this point, your pipeline should look like this,
final pipeline

Now, save everything and run the pipeline to see the test and vulnerability report.
all security tests passing

You can see that the scans ran successfully. It is time to see our application's test report and vulnerabilities.

Click on the ‘Security Tests’, and you should see the vulnerability dashboard as below
security test report

You can dig deeper into the vulnerability and possible remediation steps by clicking on them. An example is shown below.
security vulnerabilities

That’s how you can not only find but also fix the issues found in your application and container images.

Conclusion

Application security is essential for protecting Node.js applications from malicious attacks and data breaches. Organizations should use the right tools and strategies for strengthening security, such as security testing, secure coding best practices, DevSecOps, and monitoring and logging security events. By following these best practices, organizations can protect their Node.js applications from malicious attacks and ensure compliance with industry regulations. So, if you're looking for ways to strengthen the security of your Node.js applications, this blog post is a great place to start. I hope you found this helpful guide and that it helps you protect your applications from malicious attacks.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .