DAST Tool Teardown:
Rapid7 vs. StackHawk

ryan-severns

Ryan Severns|June 30, 2021

As you are evaluating alternatives for dynamic application security testing tools, you'll likely come across both Rapid7 and StackHawk. While these are both DAST tools, they have significant underlying differences that serve different types of teams. Check out the comparison below to learn more. 👇

Rapid7 has been a long-standing player in the application security space. The InsightAppSec tool is their dynamic application security testing (DAST) product. StackHawk is a newer player in the space, with a DAST product reimagined for today’s DevSecOps world. How do these two tools compare? Which is the right one for you? Read on to learn more.

→ Searching for the right DAST tool? Read our Dynamic Application Security Testing Overview and Tooling Guide to learn what to look for as you evaluate products.

Key Takeaways

  • StackHawk enables security and engineering teams to shift dynamic application security testing left, identifying new vulnerabilities earlier in the software development lifecycle.

  • StackHawk provides best-in-class API Security Testing across REST, GraphQL, and SOAP APIs. Testing of microservices and API backed applications will be more thorough and performant with StackHawk.

  • Rapid7 is the best choice for traditional security teams that prefer to review new findings and create tickets themselves rather than taking a developer first approach.

Rapid7 or StackHawk: Which Product is Right for You?

There is not a clear-cut best choice when it comes to DAST tools. The answer to which product is best ultimately is primarily answered by factors of the evaluating company rather than a particular tool being a clear winner over others.

StackHawk is typically the best fit for cloud native companies or companies that are committed to digital transformation. StackHawk‘s product takes a revolutionary approach to dynamic application security testing, testing the underlying APIs and services early in CI/CD and enabling developers to triage new vulnerabilities themselves. This workflow makes a lot of sense for companies that have invested in DevOps automation, deploy code frequently, and are already using other forms of automated testing. For these companies, fast time to identify and act on vulnerabilities is directly aligned with increased speed of feature delivery. Scans of production scheduled days or weeks after a deploy (or even scans of the staging site) simply slow the team down too much. 

The StackHawk approach is not right for every company, however. Successfully shifting application security testing left requires the right infrastructure for automated testing, cultural alignment between security and engineering, and frequent enough deployments to get the value from a tool like StackHawk. For companies that are not invested in digital transformation or have industry requirements such as on-premise testing, Rapid7 is a much better choice. Similarly, teams that do not have cultural alignment between security and engineering would not find success with a tool like StackHawk. Rapid7 is an excellent vulnerability scanner that enables security teams to periodically run scans against their production application, identifying any vulnerabilities. For this use case, it is an excellent tool.

Product Differences

Hosted vs. Containerized Scanner

One of the key differences between StackHawk and Rapid7 is the way the tools run a scan. Rapid7 offers a hosted scanner, meaning that a click within their web application deploys a scan that runs on their infrastructure. Scans can also be deployed by sending an API call. Rapid7 also offers the product in an on-premise version for companies that are not ready to move to the cloud. 

StackHawk, on the other hand, packages it’s scanner in a Docker container, which means that it can be run anywhere. It can be run on a developers local machine, as a step in the CI/CD pipeline, or as a scheduled scan running on the server. While scans are deployed on a customer’s infrastructure (the build server, for example), StackHawk is still a cloud based SaaS offering, with the scanner sending all results back to the platform.

With the Docker-based scanner, StackHawk is able to scan applications, services, and APIs that are not publicly available. This makes it easy to test earlier in the development lifecycle and enables developers to retest findings locally. Some developers will also configure a pre-commit hook to run a scan, ensuring they have not introduced any vulnerabilities before they push. Additionally, with this deployment model, scans are significantly faster, as they do not have to traverse the internet or deal with network security concerns.

Not everyone prefers this approach to running a scan. While StackHawk is easy to configure and configuration is maintained through code, some teams prefer to be able to simply point a scanner at an endpoint through a UI configuration and deploy a scan. If your team prefers to run scans of the production application and is comfortable with slow scan times, Rapid7 may be a simpler choice for deploying the scan.

Developer Experience

Rapid7 is a tool built for security professionals. It’s features assume scans run by and reviewed by a security team. The typical workflow is that once a scan returns results, the security team would review the findings and send prioritized vulnerabilities to fix to engineering through a ticketing system such as Jira. Rapid7’s Jira integration makes this easy for security teams.

StackHawk, on the other hand, is built for developer-centric application security testing. The typical workflow with StackHawk starts with a developer being alerted if they have introduced a new potential vulnerability. These alerts can come in different forms, such as a broken build, a pre-commit hook failure, or a Slack message. The developer who just made the commit or opened the pull request is then the first to review the findings within the StackHawk platform. With clear descriptions of the findings, fix documentation, request / response details from the finding, and a button to recreate the same request via a cURL command, developers are enabled to make triage decisions. They can either fix the vulnerability at that time, send it to Jira to be prioritized with future work, or accept the risk if it does not need to be fixed. The scanner then respects state on future scans, no longer alerting a developer or breaking a build if the finding has been prioritized in Jira or has accepted risk.

As mentioned before, the biggest factor in determining the right tool for a team is the internal culture that the security and engineering teams are looking to achieve. Highly collaborative security and engineering teams tend to enable developers to own security decisions. In these organizations, security acts as a strategic advisor and leverages tooling to ensure that it is an appropriate backstop for risk. StackHawk is a great tool for these teams. If your security and engineering teams do not have this alignment, Rapid7 is the clear choice.

API Security Testing

Modern applications are built around APIs and the security risks of applications have also increasingly been shifting to the backing APIs. When selecting a dynamic application security testing tool, companies that leverage APIs to back their applications must select a tool that is built for API security testing.

StackHawk offers best-in-class API security testing for REST, GraphQL, and SOAP APIs. Configuration is simple, leveraging existing API documentation such as the OpenAPI specification or the GraphQL introspection endpoint. If your team does not have a documented API, StackHawk’s documentation points to how to generate an OpenAPI spec based on the language your codebase is written in. With this configuration in place, StackHawk’s scanner runs active tests against the API endpoints, surfacing any potential vulnerabilities. 

StackHawk has market leading features for performant and accurate testing, such as optimized test payloads to reduce false positives and data driven nodes to avoid long running scans by not testing every variant of the same underlying endpoint. Additionally, the way StackHawk is deployed enables teams to scan each service separately from the front end, resulting in faster scan times and findings that are aligned with particular delivery teams.

Rapid7 is clearly built for a different era of web applications. The scan is configured by providing a list of URLs for the scanner to target. While the documentation states that the scanner supports Swagger Documents, it also states that configuration requires recorded traffic between the client and the REST API in order for the scanner to understand the methods and inputs of the API. Simply put, the Rapid7 API scanning functionality is a thin add on to the InsightAppSec product.

If your team is interested in testing your APIs for security vulnerabilities, StackHawk is the clear choice.

Which Tool is Right for You?

Hopefully this article has helped provide some clarity about the differences between Rapid7 and StackHawk. Ultimately the right tool is dependent on your team’s needs around application security testing. If periodic scans of the production application is sufficient for your team and API security is not a priority, then Rapid7’s online configuration and scan deployment likely makes it a better choice. If you are looking to automate testing in CI/CD, scale application security across the development organization, and test APIs, then StackHawk is the right choice for you.

If you are interested in learning more about StackHawk, you can always reach out to our team, or sign up for a free account to test yourself. Go ahead and give it a whirl!


Ryan Severns  |  June 30, 2021