Breathe Life Deploys StackHawk and Snyk for a

Dev-Centric Application Security Program

BACKGROUND

“In the insurance industry, we're dealing with very sensitive data,” said François Allard, Breathe Life’s Director of Engineering for Platform Teams, “We're subject to very strict regulations and laws because we handle PII and PHI like Quebec's Bill 64, the Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA), for example... We know that in order to scale, we need to put security up front in our process.”

Allard went searching for developer-centric security tooling that would make it simple to scale application security across the entire engineering organization at Breathe Life.

“We’re not trying to come up with a new way of working, we're pulling on industry best practices. We can see the value it provides by knowing upfront that our product is secure. Waiting until production becomes a lot more costly and also introduces the potential for a breach."

To execute upon this vision, Allard began searching for developer-centric security tools that could be integrated into the development process. Of equal importance was a model of security that allowed for individual developers to take ownership of the code they were creating.

The StackHawk scan with the Open API showed us that the real application was being tested and it’s not just checking the box to meet some compliance requirement that we have.

THE PROBLEM

Highly regulated organization with a need to prioritize finding and fixing security vulnerabilities early in the development lifecycle.

THE SOLUTION

Dev-centric approach to security testing with Snyk and StackHawk giving individual developers the ability to take ownership of the code they were creating.

THE RESULTS

Security as a shared responsibility across the organization with best in class solutions to easily manage findings while eliminating noise was key to scaling the team’s application security program.

CHOOSING A SOLUTION

Allard knew there was no silver bullet to solve all of the needs he had for application security. Instead, he sought to find best-in-class tools that would make his vision for a scaled application security program possible.

He first discovered Snyk, and later StackHawk, and recognized that the two had a “similar dev-centric approach.” As a result, he chose to build a program with these two partners.

While Snyk’s SCA tool helped Breathe Life secure the open source libraries they used, Allard was also looking for a Dynamic Application Security Testing (DAST) tool, to ensure that Breathe Life’s proprietary code was also protected.

His team was building a Single Page App that relied on Javascript and backing APIs. Existing tools in the market were falling short of what Allard knew he needed.

EXPERIENCE WITH STACKHAWK

“One of StackHawk’s key differentiators was the ability to leverage the Open API spec in order to better scan the application. The typical Ajax spider from other products are pretty limited in what they could find… there was no real part of our application that was tested,” said Allard, “The StackHawk scan with the Open API showed us that the real application was being tested and it's not just checking the box to meet some compliance requirement that we have.”

But it wasn’t just the findings that impressed Allard. It was also what his team could do with them.

“Managing findings is another thing we like with StackHawk. Being able to easily manage those, and not adding noise to scans when you have the same thing over and over is super helpful,” said Allard.

Allard is early in the journey of deploying Snyk and StackHawk, but is already reaping the benefits of having greater confidence in the code that is shipped.

As we grow, we'll have more and more ways to automate...We are putting the building blocks in place so developers can take on these types of responsibilities.