StackHawk is a developer-first dynamic application security testing tool, making it the perfect tool for DataRobot.
A few things in particular made StackHawk rise above the rest when it came time for a tooling decision.
Coverage for Modern Apps
Before DataRobot found StackHawk, they didn’t have a way to reliably test APIs for vulnerabilities.
“We had a whole area or attack surface that wasn't getting scanned at all. And so my goal was to find a tool that could fill that gap,” said Montgomery.
StackHawk has market leading features when it comes to API security testing. When configuring StackHawk, users can pull pretuned default configurations for the API technology being tested (like REST or SOAP).
Another config option ensures that scanner formats requests appropriately. For example, if you are scanning a REST API, the scanner will only send JSON requests.
Together these configs give users faster, more accurate scans of APIs.
But, DataRobot wanted to go one step further. Not only was the team looking to scan APIs, they wanted to ensure that scans would not impact development velocity.
“For developers only working on a feature that covers one API endpoint, the scan should be done in a second, or two,” said Montgomery, “We want to make sure we scan the methods they changed, but we don't want to scan the entire surface.”
StackHawk provides users with fine grain control when it comes to API scanning. Users can define their API endpoints by seeding the scanner with their OpenAPI spec. From there, users are able to adjust the scan’s scope of testing with the `includePaths` and `excludePaths` definitions.
Optimized for Automation in CI/CD
DataRobot was searching for a security tool that could fit seamlessly into the development workflow.
“I hadn’t seen a lot of tools that were quick, and that you could put in your pipeline, as well as on the local machine” said Montgomery.
StackHawk was built to give teams the power to scan anywhere. The scanner is deployed as a Docker container which means it can be run on a laptop, in CI/CD, or any other environment the team could think of.
Users manage configuration through a dev-friendly YAML, giving both scalability and version control. While the StackHawk scanner runs on a local machine or build server, the scan results stream back to the StackHawk web application.
“What’s nice about [StackHawk], is that it runs in a container, so I don't need to setup anything other than Docker,” said Montgomery, “It runs on the developer laptops, and then we can also quickly run it in CI pipelines.”
StackHawk offers comprehensive CI/CD integrations and webhooks which make deployment in pipeline a breeze, no matter what provider your team uses.
User Experience Built for Developers
DataRobot’s vision was for the security team to take on a consultative role for triaging and fixing. Doing so required a tool that would help the development team understand security vulnerabilities, and help them remediate on the fly.
“We need to provide tooling and automation that gives developers the ability to self-serve. And then when they get stuck, or when they are designing something new and it’s really early in the development cycle, we can focus on the more complex things – like architecture,” said Montgomery.
StackHawk’s platform is built to give actionable insights to developers. The dev-friendly UI surfaces new findings, while also providing important details for each vulnerability – like what was found and important request/response information that can be recreated with a cURL command.
“In the UI for StackHawk, there is really good info on remediation, and it was easy to mark false positives and things like that,” said Montgomery.
StackHawk’s integrations make it simple to slot the tool into existing development processes. From workflow integrations with Slack, MS Teams, and DataDog as well as ticketing with Jira, StackHawk can meet development teams wherever they are currently working.