March Newsletter: API Scanning
Updates, Security Testing
for Developers, and more

The Changelog: New Features to Kaakaww About

Scanning your APIs for security vulnerabilities is critical. This month, we introduced new scanning capabilities to give you faster, more accurate scans no matter what type of API you are working with.

• Optimized Scanning Policies. Run the scans that are meaningful to your specific API. A new `autoPolicy` flag in the stackhawk.yml will pull a pretuned default policy from the StackHawk platform based on the configured API technology (REST, GraphQL, or SOAP). 

• Smart Input Vectors. Each API technology requires different inputs and input types to efficiently find vulnerabilities. The new `autoInputVector` will populate the right inputs for your API so you can run faster, more accurate scans. Like magic!

• REST Parameter Aware Scanning. Don’t waste time scanning nearly identical paths with different parameter values. The scanner now recognizes REST API parameters to limit redundant tests in your scan. Now you just have to figure out what to do with all that extra time.

• SOAP Support. The StackHawk scanner can now find vulnerabilities in SOAP APIs.

Security Testing for Developers

Using security tools in CI/CD comes with huge upside – vulnerabilities can be found on every merge and they can be fixed on the spot. No more waiting months for an audit and wading through ancient code to try to patch. 

But, implementing security testing in the build pipeline requires developer-friendly tools. And not every security tool on the market checks the right boxes. 

We put together a couple resources to help you know what to look for when it comes to dev-centric security tooling.  

• Dynamic Application Security Testing (DAST): Overview & Tooling Guide

• [Video] SCA + DAST in Action with Snyk and StackHawk

• Dev-Centric Application Security Tooling

Catch-Up on ZAPCon 2021

Earlier this month, we helped put together the first-ever ZAPCon. 

The event featured awesome content covering ZAP Project Updates, technical deep dives, and user stories. If you weren’t able to tune in or you want to re-watch your favorite sessions, you can catch all of ZAPCon now on YouTube. 

ZAPCon Bonus Content

This week we introduced a recurring ZAP content series called ZAPCon After Hours. You can watch the first After Hours session on YouTube as well. 

To keep in the loop on all things After Hours, make sure to register for updates by clicking below. 

Stay Up to Date

Other Happenings: Because We Have to Keep Corporate Busy Somehow

📺 HawkTalks

• [Full Event Playlist] ZAPCon

• ZAPCon After Hours #1

• HawkTalks Quick Hit: Scanning GraphQL

• ZAP Deep Dive: Setting Up a ZAP Dev Environment

📖 Reading Material

• ZAPCon 2021: ZAP Automation at Scale

• ZAP vs. StackHawk: Dynamic Application Security Testing Tool Comparison

• Django SQL Injection Guide

• [From the Archive] StackHawk GitHub Action

💻 Webinars

• April 8: Dev-Centric Security in CI/CD with StackHawk and FOSSA

• April 12: Automate AppSec in CI/CD with SCA & DAST

📽 Virtual Events

• April 8: DevOps Days Raleigh

• April 14-16: React Summit

• April 20: ZAPCon After Hours: ZAP Automation with Jenkins

• May 4-7: KubeCon EU

• May 19: DevOps Connect: DevSecOps at RSAC 2021

💼 Jobs @ StackHawk

• Account Executive [Inside Sales]

• Community Manager

• Customer Success Engineer

• DAST Scanner Engineer

• Marketing Coordinator

❤️ Give Us Some Love

Share the goodness of developer-centric application security. We are always grateful for recommendations and referrals! We’d love for you to share StackHawk with your friends and colleagues. Thank you for your support!