Combing security tools for faster remediation
Internet Software and Services
Breathe Life Deploys StackHawk and Snyk for a Dev-Centric Application Security Program
Breathe Life is a life insurance technology company that has built a platform making it easier for life insurance carriers to distribute products.
Processing Sensitive Data Makes Application Security Essential for Breathe Life
“In the insurance industry, we're dealing with very sensitive data,” said François Allard, Breathe Life’s Director of Engineering for Platform Teams, “We're subject to very strict regulations and laws because we handle PII and PHI like Quebec's Bill 64, the Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA), for example... We know that in order to scale, we need to put security up front in our process.”
Allard went searching for developer-centric security tooling that would make it simple to scale application security across the entire engineering organization at Breathe Life.
“We’re not trying to come up with a new way of working, we're pulling on industry best practices. We can see the value it provides by knowing upfront that our product is secure. Waiting until production becomes a lot more costly and also introduces the potential for a breach."
To execute upon this vision, Allard began searching for developer-centric security tools that could be integrated into the development process. Of equal importance was a model of security that allowed for individual developers to take ownership of the code they were creating.
“We used to be kind of a typical DevSecOps team in our organization. But, we did not want to have this centralized team that deals with all things security, and DevOps, and pipeline,” Allard recalls. “We wanted security to be a shared responsibility across the organization. So we needed to provide our team with the tooling and best practices so all teams could do that.”
StackHawk + Snyk
Allard knew there was no silver bullet to solve all of the needs he had for application security. Instead, he sought to find best-in-class tools that would make his vision for a scaled application security program possible.
He first discovered Snyk, and later StackHawk, and recognized that the two had a “similar dev-centric approach.” As a result, he chose to build a program with these two partners.
Protection from Transitive Dependencies
Allard began his search for application security tooling by trying to find a Software Composition Analysis (SCA) tool that could notify developers about dependencies in open source libraries that his team was using.
Dynamic Security Testing for Single Page Apps and Backing APIs
While Snyk’s SCA tool helped Breathe Life secure the open source libraries they used, Allard was also looking for a Dynamic Application Security Testing (DAST) tool, to ensure that Breathe Life’s proprietary code was also protected.
“One of StackHawk’s key differentiators was the ability to leverage the Open API spec in order to better scan the application. The typical Ajax spider from other products are pretty limited in what they could find… there was no real part of our application that was tested,” said Allard,
“The StackHawk scan with the Open API showed us that the real application was being tested and it's not just checking the box to meet some compliance requirement that we have.”
But it wasn’t just the findings that impressed Allard. It was also what his team could do with them.
“Managing findings is another thing we like with StackHawk. Being able to easily manage those, and not adding noise to scans when you have the same thing over and over is super helpful,” said Allard.
The foundation for Developer Friendly Security Processes
Allard is early in the journey of deploying Snyk and StackHawk, but is already reaping the benefits of having greater confidence in the code that is shipped.
“We’re not a massive organization so it’s not like we had a cumbersome security process. We are putting those new things in place to help harden our platform security and shift left,” said Allard, “With these tools, I can breathe more and people on my team can breathe more. It allows us to have more confidence in what we're building and that we don’t have those obvious vulnerabilities.”
The more exciting part for Allard is the future. “As we grow, we'll have more and more ways to automate….We are putting the building blocks in place so developers can take on these types of responsibilities.”
The StackHawk scan with the Open API showed us that the real application was being tested and it's not just checking the box to meet some compliance requirement that we have.
Director of Engineering for Platform Teams | Breathe Life
Ready for More?
Read the Docs
Get up and running in less than an hour. Build the config file and then $ docker run hawkscan to find your security bugs.
Find and fix application security bugs before they hit production. Build your config and run your first scan in less than 15 minutes.
Request a Demo
If you are interested in seeing more of the StackHawk platform, schedule time with our team for a live custom demo.