Today, I am incredibly proud to announce StackHawk’s launch into general availability. Over the past 14 months, our team has worked tirelessly to bring the world a better application security product. I could not be more proud of the product that we are putting into the world and I am excited for more customers to test it out.
My co-founders and I decided to build StackHawk because of the gaping hole in developer-centric application security tooling. Application security is only becoming increasingly important, but the majority of the tools out there cannot keep up with the pace of modern software development. StackHawk is different. We make it easy for developers to find and fix application security bugs (truly!), and with pipeline automation, you can ensure that you catch security bugs before they hit production.
StackHawk Today
While we have lots of features we are excited to build, as we launch into GA, StackHawk is a fully fledged dynamic application security testing tool. As someone who has spent her career building software for DevOps teams, one of my happiest moments was when one of our early access customers told us that we needed to take the Beta tag off of our web app because of the maturity and polish that already existed.
If you aren’t familiar with StackHawk, here is a quick rundown of the product:
Best in Class Scanner (…and Commitment to Open Source)
StackHawk is built on top of the open source ZAP project, the world’s most widely used dynamic application security testing tool. With ZAP as our scanning engine, we inherit an incredible open source community that is dedicated to better security testing. Our goal: ensure that automated security testing was accessible throughout engineering organizations.
In addition to leveraging the scanning capabilities of ZAP, we are committed to growing the open source community. We recently hired Simon Bennetts, founder of the ZAP project, onto the team. He will continue to work on the open source project and we are excited about the opportunity to contribute back in many ways.
Modern Technologies and Applications
Application security tooling is largely stuck in a previous decade, with the exception of some modern SCA solutions. The majority of tools out there assume scans of production environments and infrequent deploys. Software engineering has made incredible advances, but application security has not kept up.
Software today is built with a microservices architecture, is deployed frequently with CI/CD, and leverages new technologies such as GraphQL and single page applications. StackHawk is built for the modern software teams leveraging the latest technologies, and can support legacy technologies as well.
Built for Developers – Enabling the Shift Left
Everyone agrees that application security needs to shift left. Most security vendors put “built for DevOps” on their trade show booths and called it good.
We built a product for developers.
We manage config as code via yaml. Our scanner runs anywhere with a single Docker command. Our user experience focus starts at the command line. The proof is in the product and we love watching engineering teams take ownership of their own application security.
Integrated with Engineering Stack
The rise of best-in-breed developer tooling has created significant efficiencies for software engineers, but it also has introduced increased complexity. You should continue to live in your core engineering tooling and it is our responsibility to integrate well with those tools. When you do have findings that you need to deal with, we’ll ensure you have the best experience possible.
We have invested heavily in our current integrations, not only with all major CICD systems, but also workflow tools like Slack and JIRA, and we will continue to do so moving forward.
Where We Are Headed
We are not only excited about what we are officially releasing into the world today, but we are also excited about what is ahead. We have had tons of great feedback from our beta customers that is informing our roadmap, and we have some fun feature ideas up our sleeve as well.
While we aren’t publishing our roadmap, you’ll see a strong theme of developer love and integration with other dev tools. We want to make it as simple as possible for developers to find and fix their security bugs before they hit production and get back to building features.
For the enterprise, you’ll see features that help your security team scale by empowering developers, and building a bridge between the security team and engineering org. Key product principles around transparency, observability and collaboration will support this evolution in your organization.
Thank Yous
Finally, I’d like to say a few quick thank yous. First, a *huge* thank you to our team here at StackHawk. I can truly say that I’ve never worked with a stronger (and funnier) group. I’m constantly amazed at the quality of your work and the speed with which you deliver. And best of all, we have a lot of fun working together!
I’d also like to thank our investors (Foundry Group, Costanoa Ventures, Flybridge Capital, and Matchstick Ventures) and advisors. Your regular counsel, suggestions, and assistance are invaluable to us and we are deeply appreciative.
And saving the best for last, thank you to our early access customers. For those of you who jumped on board to test a beta product, we are so grateful for your valuable feedback that you have given all along the way. Thank you! We’re excited to continue serving you as StackHawk customers!
