WhiteHat is an application security platform offering dynamic application security testing (DAST), static application security testing (SAST), and software composition analysis (SCA). WhiteHat rose to prominence in the early 2000s, emerging as a leader in the burgeoning application security space. For years, WhiteHat was one of the strongest product offerings on the market. However, with changes in the way that software is delivered (Agile and then DevOps), it has struggled to keep up. As software teams look to shift application security left and automate testing in CI/CD (sometimes referred to as DevSecOps), they are finding that WhiteHat lacks the features they need.
Below is an overview of how things have changed, why WhiteHat is losing popularity, and alternative solutions for today’s application security teams.
The Evolution of Application Security
Any software company or software-enabled company knows that the security of their applications is critical to their long-term success. Without proper security measures in place, companies risk significant reputational and financial liabilities. Tools that test for vulnerabilities in the application have played a critical role in enabling companies to deliver securely. WhiteHat played an important role in this historically.
The advent of DevOps has changed the application security landscape. Infrastructure has moved to the cloud and applications are constantly being updated with small change sets frequently pushed to production. Other areas of software development have leaned into CI/CD automation as a result of this change. One example is QA testing - what was once a largely manual QA process has been replaced by test automation.
Until recently, however, application security had not kept up with this shift. Today’s software teams cannot rely on security tools built as a stage in a waterfall process. Today’s teams require tools that run automated tests in CI/CD, and run them fast. They require tools that alert a developer of a new vulnerability as soon as possible after she has made the change to the code. And they require tools that enable the developer to fix newly introduced vulnerabilities in a self-serve manner.
Simply put, WhiteHat and other legacy application security platforms simply cannot keep up with the speed of DevOps.
Where WhiteHat Struggles
In its day, WhiteHat provided an extremely valuable service. As code and customer-facing applications were tested for vulnerabilities, WhiteHat had a team of security analysts that reviewed and validated any findings. Enterprise security teams that were thin on resources found significant value in receiving validated findings (meaning fewer false positives) that they could pass on to engineering teams with a request to fix.
Today, this model no longer works.
Today software teams are pushing change sets multiple times per week or day. A workflow requiring external validation, or even a review by an internal security team, is simply too slow. These workflows either result in security teams being a blocker to deploy, or security teams that are constantly playing catch up. In either world, vast inefficiencies are introduced with internal prioritization discussions and developers revisiting parts of the codebase that they’ve long ago completed. Today’s software teams need security tooling that works in the same way the rest of their engineering tools work.
Modern Alternatives to WhiteHat
For teams looking for automated, developer-centric application security testing tools, there are new players in the market offering best-in-class solutions. For developer-centric solutions, there is not a single platform that provides all forms of application security testing. Luckily, these tools work well together, are developer friendly, and integrate into existing engineering workflows and tools.
DAST Alternative to WhiteHat: StackHawk
StackHawk is the only developer-centric DAST product on the market. Historically, dynamic security testing was performed against the production application long after a deploy. With StackHawk, teams run dynamic testing in CI/CD, finding newly added vulnerabilities before they hit production and while the developer is still in the context of the code she was working on.
Security risk is increasingly at the API layer and StackHawk offers the best API security testing functionality out there, allowing you to leverage a single platform to find front end and API vulnerabilities. When a developer is alerted of a new finding, StackHawk also provides documentation on how to fix that type of vulnerability and a cURL command generator to recreate the request for debugging.
If you are looking for other DAST solutions, but are not as concerned with developer-first features, you could consider open source ZAP, Burp Suite, or Netsparker.
SAST Alternatives to WhiteHat: GitHub or Snyk
There have been recent developments in the static analysis space, with Snyk and GitHub both growing their SAST functionality through acquisitions. While both products are earlier to market, they are already leading the way on developer-centric SAST.
CodeQL is GitHub’s SAST offering. GitHub brings security issues into the pull request with CodeQL code scanning. It also enables users to add other code scanning tools to the build process. CodeQL has an open source database of rules that it tests code for, also enabling users to write their own static tests. CodeQL can alert a developer in the IDE and can be instrumented in CI/CD to break the build if a new security is introduced.
Snyk Code is the latest offering from Snyk. With a strong foundation in developer-centric application security with the Snyk Open Source product (more on that below!), the company has expanded into the SAST space. Snyk adds SAST scanning to the IDE or CI/CD, boasting scan times that are 10-50x faster than other solutions. With a solid developer experience and fast scan times, Snyk makes ensuring secure coding patterns through SAST easy.
SCA Alternative to WhiteHat: Snyk
When it comes to software composition analysis, Snyk Open Source is the clear favorite in the market. Over the past five years, Snyk has become the obvious choice for open source security. Built on top of the industry leading Intel Vulnerability Database, Snyk Open Source makes it simple for developers to understand when they are including a vulnerable dependency in their code. Snyk doesn’t stop at simply alerting the developer about the vulnerable dependency, but also provides tooling to help push a fix, either through an automated pull request to update the dependency or proprietary patches provided if an update is too disruptive.
Other SCA products on the market include Dependabot by GitHub, FOSSA, and WhiteSource.
Getting Started with Developer-Centric Application Security
Making a shift to developer-centric application security can be intimidating. Decades of security tools that are not developer friendly have created skepticism about jumping into a project like this. However, if there is high-level cultural alignment about shifting application security left, a quick test of the modern tooling will put concerns at ease. Be sure to sign up for a free account with companies like StackHawk or Snyk to run some tests.
If you’d prefer to see the tools in action first, check out the video below of StackHawk and Snyk working together.