Application Security Tool
Overview: Netsparker vs.
StackHawk

ryan-severns

Ryan Severns|June 30, 2021

While StackHawk and Netsparker are both dynamic application security testing (DAST) tools, they are fundamentally different. Check out how automation and the developer experience make these two tools different.

Picking the right application security testing tool can be a confusing and difficult process. Engineers and security professionals typically want to cut through the marketing jargon and understand the fundamental differences between the products, but that isn’t always easy.

Here at StackHawk, we are incredibly proud of what we’ve built. But we also know that it isn’t for everyone.

Below is a guide to the key differences between Netsparker and StackHawk to help you determine which tool is right for you.

tl;dr

The choice is actually pretty simple… 

  • If you are interested in automating application security testing in CI/CD and enabling developers to triage and fix security issues, then StackHawk is the choice for you. 

  • If you prefer to periodically test the production application and manage security findings within the security team, then Netsparker is right for you.

...now onto the details.

Key Difference #1: AppSec Automation 🤖

Netsparker was founded in a different era of software development. It was 2009, days before John Allspaw gave his famous talk on deploying 10+ times per day.

Allspaw and the team at Flickr were on the leading edge of the DevOps revolution, but this was still far from commonplace. Fast forward to today and most all software teams are focused on frequent deploys of small change sets. CI/CD has become a commonly accepted best practice and is pursued by companies of all sizes.

The application security testing tools created a decade ago simply were not built for today’s environment of frequent deploys.

These tools are built to scan publicly available production sites, which inherently means that the first view from a dynamic application security test is after a deploy. It is commonly known that there are significant efficiency gains when a bug is found early in the development lifecycle, while the developer still has the context of the code they just worked on. Security bugs are no different.

StackHawk stands in direct contrast to Netsparker’s approach of scanning the publicly available production site. StackHawk is purpose-built for automation in CI/CD. The scanner is containerized and easy to run from the command line and to automate in CI/CD, helping engineers identify vulnerabilities early in CI or even on pre-commit hooks. Scans run against the underlying services and APIs, which means that they are lightning fast and surface vulnerabilities only to the relevant team.

If you are interested in DevSecOps and automating security in CI/CD, then StackHawk is the only tool out there for you. If you are okay with scans against production, then Netsparker is often an industry favorite.

Key Difference #2: Developer Experience 🧑‍💻

StackHawk and Netsparker have vastly different workflows associated with the tools (which is directly connected to the AppSec Automation capabilities above). StackHawk assumes that developers are the first to review a vulnerability, owning initial triage and fix. When a developer introduces a new potential vulnerability, she is alerted by a StackHawk scan and given the context to triage the issue (including a cURL command to recreate the issue for debugging). Developers own the initial triage decision, with security teams reviewing the actions that developers have taken to manage risk. With this workflow, the person triaging and fixing the issue is the same person who introduced it to the codebase (read: massive efficiencies!).

Inherent to Netsparker’s tool is a different workflow. After a deploy, a scheduled Netsparker scan will test the production application for any vulnerabilities. Findings are then reviewed by the security team and initial triage decisions are made. Vulnerabilities are then promoted to Jira tickets for prioritization among other engineering work. This typically results in vulnerabilities being public facing for weeks until they are worked into an upcoming sprint or an urgent disruption of other engineering work to fix a high severity issue.

Determining which tool is right for you is more dependent on the maturity of your security and engineering culture. High performing cross-functional teams prefer a developer-first approach, but not every team is ready to put security into the hands of developers.

Which Tool is Right for You?

Netsparker and StackHawk are both excellent DAST tools, but they work in very different ways. Ultimately the decision of which tool is right for you will depend on the goals your organization has. If you would like to learn more, you can sign up for a free account to test StackHawk or reach out to the Netsparker team for a demo.


Ryan Severns  |  June 30, 2021