At StackHawk we were thrilled to find out we had been selected as the Application Security category winner for the first-ever CISO Choice Awards. What makes this award unique is that experienced CISOs select the finalists and winners.
We sat down (well, virtually sat down) with StackHawk CSO and Co-Founder, Scott Gerlach, to talk about what makes this award meaningful for a security leader. Scott offered his insights into what set StackHawk apart from other applicants and what you can expect to see in our future.
CISO Choice Award Q&A
Can you tell us a little bit about the CISO Choice Awards and what makes this recognition special?
Absolutely. The CISO Choice Awards is a new award that looks to identify security companies that are taking on the most important challenges for information security.
There are a TON of awards out there for security. What makes this award different (and why we applied) is that all of the finalists and winners are selected by a Board of CISOs. These CISOs are deeply embedded in the security space and are constantly trying new tools and products. They are facing challenges of how to run and scale a security organization every day.
Having their recognition that StackHawk is addressing Application Security (AppSec) differently is such an honor.
It’s awesome that StackHawk won the Application Security award. What about StackHawk’s platform stood out from other applicants?
I think it was probably our awesome bird logo that really dazzled the judges #kaakaww ?
Beyond that, I like to think the major standout for StackHawk is how we think about Application Security. As a company we have a different perspective on how AppSec tools should be used and where they should live.
So many tools out there today – and I’ve used and bought a bunch of them – are built for the security team. While there is still the need for security personnel to have tooling like this, having one team as the first and last line of defense for keeping applications secure doesn’t work with how code is developed today. The security teams can’t scale fast enough. Humans will always be the bottleneck in an otherwise automated delivery process.
Empowering development teams to be able to understand security risks associated with the code they are writing and letting them make decisions is key to driving engagement in AppSec.
Teams that are embedding this approach into their CI/CD pipelines today are ultimately delivering higher quality code faster. AppSec as an afterthought just isn’t cutting it anymore.
How does StackHawk add value to existing capabilities in a typical security ecosystem?
Almost every organization today knows they should be doing something about Application Security. If you have existing tooling or perhaps a team that is responsible, StackHawk can help strengthen those efforts by integrating AppSec into the development process. Being able to test running applications while you write them and have those same tests as part of the CI/CD pipeline gives developers confidence that the code they are shipping is secure.
If you don’t have an AppSec program, we are trying to lower that security poverty line. StackHawk has built a tool that lets you know what risks you are taking (perhaps intentionally), and how those risks might affect your tech debt going forward. For too many teams today, security risk is a bucket of unknowns that at some point overflows and detracts from the product development roadmap.
What lies ahead?
We are constantly prioritizing our roadmap based on customer feedback. That being said, there are a couple areas where we are always investing.
- Assessment: We are continuing to improve both the speed and accuracy of the StackHawk scanner so that the platform fits seamlessly into the developer workflow. Some specifics include surfacing scanner “checks” and time to complete, allowing users to disable checks in the scanner and creating technology stack specific scanner profiles.
- Better Fix Information: In October we released huge improvements to our documentation site, HawkDocs. We are continuing to improve fix documentation for developers once a security bug is found and are working to provide documentation specific to the language or framework of the scanned application.
- Scan from Platform: To start a scan today, users run a docker command in their terminal. In the future we want to make this even easier by giving users the power to kick-off a scan from the StackHawk platform in the UI.
- Developer Workflow Integrations: Building integrations so that StackHawk ties in with the developer workflow will always be important to us. Our roadmap includes additional integrations in categories such as CI/CD, notifications (Microsoft Teams, PagerDuty, etc.), and ticketing (PivotalTracker, GitHub Issues, etc.).