One Medical is a technology enabled healthcare solution based out of San Francisco. One Medical provides a reimagined version of primary care, with features such as provider videochat and in-app communications, an application for patients to see medical records, notifications about preventative care, and more. The company currently operates in 13 locations across the United States, with additional locations slated to be launched soon.
One Medical set out to improve their dynamic application security testing (DAST) solution. The team had a legacy DAST solution in place, although they were unhappy with the quality of the findings and the manual processes it required.
Ultimately, the One Medical team selected StackHawk for their dynamic application security testing solution. With StackHawk, the One Medical team will be able to scale application security through the engineering team, equipping developers with automated security testing and self-service remediations. The security team alone will save 3 to 5 hours per finding manually reviewing if it is a false positive, with even greater efficiencies to be realized with engineers fixing vulnerabilities while still in the context of the code they are writing.
Read on to learn more about One Medical’s selection of a DAST tool.
DAST Tooling Criteria
As the application security team started evaluating DAST solutions, they first looked at the Gartner Magic Quadrant, selecting 12 vendors that they would evaluate. As a newer solution to the market, StackHawk was added to the list as a wildcard. Then, the team built the evaluation criteria, which included a list of the ideal features they would like to see in the tool. The criteria included functionality such as:
Simplified Configuration: Whether onboarding users with SSO, adding new services/applications for testing, or setting up programmatic testing, the configuration of the tool must be simple and straightforward.
Integrations: Tying in with the rest of the tooling stack of both the engineering and security teams is important for tool adoption and efficacy. Integrating application security data and processes into tools like Jira and Slack ensure that vulnerabilities are seen and quickly remediated.
Scanning Coverage: For modern applications, security scanning tools must be able to test for both browser and API based vulnerabilities. The tool must support both REST APIs via OpenAPI specification and GraphQL APIs.
Scan Findings: Findings must be reproducible, with clear request and response payloads. Additionally, users should only be alerted on newly added issues, not pre-existing issues that have already been acknowledged or addressed.
Audit and Usage: As the security team equips engineers for self-service fixes of AppSec findings, it is also important to have clear logging of actions that were taken.
Why One Medical Selected StackHawk
“If you strip away all of the evaluation criteria, what you care about most is that the tool will help reduce vulnerabilities for your organization,” says One Medical application security engineer, Ariel Shin. Shin led the AppSec team in the evaluation of DAST tools. At the end of the day, the team selected StackHawk as the DAST platform of choice for a few key reasons: scan coverage for modern applications, features that enable developer self-service, and automation and integration capabilities.
Scan Coverage for Modern Applications
Most traditional DAST scanners are limited in the types of applications they can scan. There is a general understanding that the legacy tools on the market aren’t great and have not kept up with modern application development.
One Medical needed a tool that could run API and application security tests across the browser, REST APIs, and GraphQL. Upon looking at StackHawk, it was clear that the tool stood apart when it came to modern applications, especially when it comes to API scanning. Not only is it the only tool in the market that does true GraphQL security testing, but its features around testing REST APIs set it apart in both speed and quality.
Features that Enable Developer Self-Service
The security team at One Medical knows that the best way to deliver secure applications at scale is by enabling the engineering team for self-service security testing and remediation.
“We wanted a tool that offers the capability for developers to get involved in application security so they can triage issues themselves. StackHawk was the only one that met this criteria.”
With StackHawk, application security testing is automated in the DevOps pipeline, alerting the developer if they have introduced a new vulnerability. The developers are then equipped with all of the relevant information to debug, including the exact request sent to the application and response received. There is also a cURL command generator that allows engineers to recreate the exact same request that triggered the vulnerability finding.
From here, developers are empowered to make their own triage decisions. They can either fix the vulnerability (which is easier while still in the context of the code they were just working on), add the vulnerability to the backlog in Jira for future prioritization, or document why the finding does not require a fix.
Automation and Integrations
The evaluating team knows that for application security to scale, it must be automated and tied in with existing engineering workflow tools. StackHawk makes this simple on both fronts.
“The process of scanning the application and integrating with CircleCI was super easy,” says Shin. With StackHawk’s CircleCI Orb, teams can quickly add an application security test to the build pipeline, ensuring visibility to any newly added vulnerabilities before the application is in production.
In addition to that, StackHawk integrates with Jira and Slack. When a non-urgent finding is surfaced, it can be sent to Jira to be prioritized among other engineering work. Further, scan findings are visible in Slack, ensuring that both the teams working on an application and the security team have a real-time pulse on any security issues.
Shifting to Developer Centric Security
With the previous DAST tool used by One Medical, the security team had 3 engineers who each spent roughly 3-5 hours per finding processing and reporting the results. Results did not include information to replicate the finding, so the security team would have to add tickets into Jira and then work with engineers to determine if it is a real ticket.
With automated security testing in CI/CD, there are tremendous efficiency gains for both the security and the engineering teams. Security engineers no longer are required to manually review findings and engineers are not pulled away from their core work to determine if a scan finding is a true vulnerability. Instead, the developer who is working on the code will be alerted at code commit or the pull request if they have introduced a new vulnerability.
“Within the entire process, it should be easy for a developer to say ‘I wrote this code and I’m ready to deploy’, and then find out if they have introduced a vulnerability.” – Ariel Shin
The efficiencies don’t stop there. If a developer has introduced a vulnerability, they are still in the mental context of the code they were working on. This has long been documented as leading to significant time savings in software engineering. And if the finding is not something that will be fixed (a false positive or accepted risk), the scanner will remember that state and will not alert again.
All of this empowers developers to confidently push code to production, knowing that they are not introducing any security risk.
Application security is not an initiative of the security team alone. The engineering team at One Medical is excited about owning security testing and having it automated within the build process. This sort of testing is already in the ballpark of what they work on, with similarities to integration testing. The developers who worked on instrumenting StackHawk found the platform to be simple to get up and running, citing StackHawk’s documentation as helpful. And when it comes to using the tool for findings, it has been described as “easy and painless.”
Not only will engineering processes be more efficient and secure, but these changes have enabled the application security team to expand their focus. The team has a custom built security automation platform that they will be able to devote more time to, and they also plan to spend more time improving internal training.
Preventative Security Care
One Medical is driving an important shift in the healthcare industry by giving patients better preventative primary care. Good preventative medicine and regular checkups from a primary care doctor ensure better long-term health and allow practitioners to catch, and address, potential medical concerns early.
With application security testing, the same principles can apply. Shin and the application security team at One Medical have changed the organization’s vision of how security is viewed. By pushing left, the team informs developers early on when there may be issues, ultimately leading to faster fixes and more secure application delivery. Similar to preventative care, issues aren’t a problem later on if they are identified and addressed early.
