Hello and welcome to PM Corner! I’m Lindsy Farina, Senior Product Manager here at StackHawk! Today I will be sharing a little about the themes we saw at this year’s RSA conference in sunny San Francisco!
Let’s start with the biggest theme: Shift left
Like many great buzz phrases that came before it, digital transformation being the most recent, the concept sounds great, but the execution feels nebulous. We all know it’s coming, we all know we have to do it, but being the first to take the step into the abyss is hard. I definitely got a sense that people are on the cusp of making moves, some are still shifting to the center, but others are still peeking from behind the curtain to see how it goes.
At StackHawk, we realized early that the key to a successful shift was teamwork. The organization as a whole needs to get on board with the concept and create, dare I say it, synergy with security and engineering teams. Ultimately, it should be less scary to take that first step if you have a support system to join you!
And no one is going to shift left with scans that take hours, no matter how enthusiastic they are about the buzz. It simply doesn’t make sense. It was fun to watch how excited RSA booth visitors were to see us demo a full scan in real time, kicked off directly from the IDE, that completed before we could finish our spiel about DAST!
DAST & SAST: The dynamic (and static) duo
Just like it takes a village to shift left, it also takes a winning tool stack to complete the loop. SAST with DAST are the Martha Stewart and Snoop Dogg power team that helps you quickly identify your most critical vulnerabilities, helping you cut down the noise and prioritize what truly matters. While many users started in the SAST/SCA world, things are evolving, and it’s clear from our conversations at RSA that DAST is top of mind. Being able to hit your application at runtime to see if those code-level vulnerabilities are truly exploitable is the hot ticket. Surfacing vulnerabilities early in the development phase with DAST, coupled with code analysis from our friends at Snyk, I’ll cheers to that!
Coverage, discovery, and accuracy, oh my!
But do you support…? The answer was YES! Consumers are looking for API coverage and we have it. With support for REST, SOAP, GraphQL, and even gRPC, StackHawk has you covered. Booth visitors also asked about taking advantage of the work they’d already put in to build swagger docs, Selenium test suites, Postman collections, etc. StackHawk’s extensive custom scan discovery options have you covered. Not only does this improve the accuracy of your results, but it is also going to help with scan times getting you even closer to the left!
The Wrap Up
While the glowing StackHawk logo and our cool t-shirts may have brought people into our booth, what kept them there was our live demo. Many asked us “What does StackHawk do?” thinking that was necessary to get our cool shirt, but then quickly realized that they truly were interested and wanted to learn more. Per my colleagues, the booth visitors this year had clearly done their homework about DAST and StackHawk, and were more prepared with questions on the themes above compared to the 2022 RSA attendees. Many prospects are still in early phases of sorting out their tool stack, their compliance needs, and their course of action to get to building and deploying secure software. But it is clear that they are ready to take the steps toward shifting left, and see the value in what StackHawk has to offer. We are here for it!
[Lindsy Farina is a Sr. Product Manager at StackHawk]