Planetly Picks StackHawk
Over Building Internal
ZAP Service

ryan-severns

Ryan Severns|June 14, 2021

Learn how Planetly saved weeks of work by implementing StackHawk instead of building an internal ZAP service.

Planetly is a climate tech company based in Berlin. In light of increasing complexity around carbon accounting, Planetly provides software that helps companies monitor and track their carbon emissions while also recommending potential carbon reduction strategies.

As a scaling startup with a quickly growing list of enterprise customers, Planetly knows that delivering secure applications is critical to its continued growth and customer retention. Iarly Souza, a Senior DevOps Engineer with Planetly, has led the security initiatives within the company, ultimately selecting StackHawk for dynamic application and API testing.

Application Security Testing at a Software Startup

With important customer data and publicly available applications and APIs, Planetly knows that it has to build secure application delivery from the beginning. Not only is there internal awareness around this, but the customer base also requires it. Enterprises purchasing software from Planetly have security requirements for their vendors.

Plantely’s engineering team had already been doing static analysis and container analysis. As developers commit code, it is checked with a static analysis security testing tool for any identifiable security risk patterns in the code. Then, container images are scanned for any potential vulnerabilities.

This was a great foundation, but the organization wanted to improve security testing across their running applications. Without this testing, they did not have a full view of potential vulnerabilities from real life scenarios and an attacker's point of view. Planetly prioritized the ability to find and fix these kinds of vulnerabilities (such as SQL injection) before software deployments. Given this and the requirements from their Enterprise customers, they decided that a dynamic application and API security testing tool was the best path to address these challenges.

Build vs. Buy: ZAP-as-a-Service

When it came time to set up a dynamic application security testing tool, Iarly first turned to ZAP, the popular open source vulnerability scanner. ZAP has long been trusted as the standard when it comes to DAST scanning, trusted by enterprises and penetration testers alike.

As a fast moving engineering team, however, Iarly knew that he would have to deliver ZAP-as-a-Service. ZAP scans would have to be available for any application in the company’s ecosystem, making it easy for anyone on the team to add automated scanning of a new service. Additionally, the scanner would have to be properly configured for each application, easy to deploy, and would require tie-in with other engineering tools.

As he began to scope and test the work associated with this, he recognized that building ZAP-as-a-Service would require a lot of upfront work and ongoing maintenance. That is when he found StackHawk. After spending a week testing ZAP, it took Iarly less than an hour to  get StackHawk configured and running authenticated scans against his applications and APIs.

StackHawk Features on Top of ZAP

With StackHawk, the Planetly team saw several benefits for its application security testing tool:

  • Trusted ZAP Scanner: ZAP is the industry standard when it comes to web application security testing. With StackHawk, Planetly receives all the benefits of the trusted ZAP scanner without having to maintain it as an internal service.

  • Simple Configuration: With yaml based configuration files, config is managed in code using existing version control systems. Additionally, as new services and APIs are rolled out, adding security testing to them is simple by grabbing existing config files.

  • Docker Deployment: With StackHawk’s container based deployment of scans, automating application security testing is simple. Whether running in pipeline with automation or testing on a local machine, StackHawk makes it simple to deploy a scan.

  • Developer Fix Features: With a record of the request sent to the application and the response received, along with highlighting of the finding evidence, developers are equipped with information of what is happening. Additionally, the cURL based recreation feature allows a developer to recreate the same request to debug the issue. With these features, scaling application security testing across engineering is simple.

  • Integrations: The Planetly engineering team tracks work in Jira. If a new vulnerability is found, that should go into Jira as well as the fix is worked. With StackHawk’s Jira integration, findings are easily passed into Jira to create new tickets.

Deploying Secure Applications

The Planetly engineering team had quarterly OKRs around rolling out security testing for all applications. With the decision to purchase and roll out StackHawk, Planetly has application security coverage for its applications and is able to distribute testing across engineering, hitting its quarterly OKR within weeks. After testing StackHawk, Souza cited productivity gains as one of the biggest benefits. Security testing is needed, but now he does not need to build and maintain ZAP as an internal service, allowing him to ensure secure deployments while focusing his efforts on other high value work.


Ryan Severns  |  June 14, 2021