Automating API security testing
Internet Software and Services
DataRobot Automates API Security Testing with StackHawk
DataRobot has created an industry-leading AI lifecycle platform. The platform is rapidly scaling, and with that growth comes a sizable engineering team and SaaS-first business practices.
DataRobot Needed a Security Tool to Automate Testing in CI/CD
“With continuous delivery, especially on SaaS platforms, we're deploying code weekly. We can’t look and review every feature. We don't have time," said the VP of Enterprise Security, Jason Montgomery, “We have a small team. The number of people on the security team compared to the number of developers in our organization makes it nearly impossible to serve everyone.”
The security team wanted to give developers the power to run security testing on builds, for every type of app. In doing so, security would be able to consult on triaging, and help developers dig into larger findings. Smaller issues could be remediated instantly in the development process.
Before DataRobot found StackHawk, the team was already running a Dynamic Application Security Testing (DAST) tool as part of their staging process. The scanner would run tests on a weekly basis to find vulnerabilities in DataRobot’s apps.
While the scanner found a large number of vulnerabilities, there were a few things DataRobot needed that weren’t being delivered.
“We run one tool in staging constantly, and that’s fine,” said Montgomery, “But we needed to find stuff quicker, and move earlier in the development life cycle.”
As a result, the team developed criteria of what they were looking for to supplement their original DAST tooling. They wanted a tool that would:
Effectively scan APIs. The team needed to protect backend APIs from vulnerabilities, not just front end applications.
Work anywhere in the CI/CD pipeline. Whether that is locally on a developer’s workstation, on a merge request, or during integration testing, security testing cannot slow down development velocity.
Deliver actionable results to developers. Developers needed to be able to understand and take action on security findings.
A Dynamic Application Security Testing Tool Built for Developers
StackHawk is a developer-first dynamic application security testing tool, making it the perfect tool for DataRobot.
A few things in particular made StackHawk rise above the rest when it came time for a tooling decision.
Coverage for Modern Apps
Before DataRobot found StackHawk, they didn’t have a way to reliably test APIs for vulnerabilities.
“We had a whole area or attack surface that wasn't getting scanned at all. And so my goal was to find a tool that could fill that gap,” said Montgomery.
StackHawk has market leading features when it comes to API security testing. When configuring StackHawk, users can pull pretuned default configurations for the API technology being tested (like REST or SOAP).
Another config option ensures that scanner formats requests appropriately. For example, if you are scanning a REST API, the scanner will only send JSON requests.
Together these configs give users faster, more accurate scans of APIs.
But, DataRobot wanted to go one step further. Not only was the team looking to scan APIs, they wanted to ensure that scans would not impact development velocity.
“For developers only working on a feature that covers one API endpoint, the scan should be done in a second, or two,” said Montgomery, “We want to make sure we scan the methods they changed, but we don't want to scan the entire surface.”
StackHawk provides users with fine grain control when it comes to API scanning. Users can define their API endpoints by seeding the scanner with their OpenAPI spec. From there, users are able to adjust the scan’s scope of testing with the `includePaths` and `excludePaths` definitions.
Optimized for Automation in CI/CD
DataRobot was searching for a security tool that could fit seamlessly into the development workflow.
“I hadn’t seen a lot of tools that were quick, and that you could put in your pipeline, as well as on the local machine” said Montgomery.
StackHawk was built to give teams the power to scan anywhere. The scanner is deployed as a Docker container which means it can be run on a laptop, in CI/CD, or any other environment the team could think of.
Users manage configuration through a dev-friendly YAML, giving both scalability and version control. While the StackHawk scanner runs on a local machine or build server, the scan results stream back to the StackHawk web application.
“What’s nice about [StackHawk], is that it runs in a container, so I don't need to setup anything other than Docker,” said Montgomery, “It runs on the developer laptops, and then we can also quickly run it in CI pipelines.”
StackHawk offers comprehensive CI/CD integrations and webhooks which make deployment in pipeline a breeze, no matter what provider your team uses.
User Experience Built for Developers
DataRobot’s vision was for the security team to take on a consultative role for triaging and fixing. Doing so required a tool that would help the development team understand security vulnerabilities, and help them remediate on the fly.
“We need to provide tooling and automation that gives developers the ability to self-serve. And then when they get stuck, or when they are designing something new and it’s really early in the development cycle, we can focus on the more complex things – like architecture,” said Montgomery.
StackHawk’s platform is built to give actionable insights to developers. The dev-friendly UI surfaces new findings, while also providing important details for each vulnerability – like what was found and important request/response information that can be recreated with a cURL command.
“In the UI for StackHawk, there is really good info on remediation, and it was easy to mark false positives and things like that,” said Montgomery.
StackHawk’s integrations make it simple to slot the tool into existing development processes. From workflow integrations with Slack, MS Teams, and DataDog as well as ticketing with Jira, StackHawk can meet development teams wherever they are currently working.
Keeping APIs Secure with Automated Testing
By deploying StackHawk, DataRobot has been able to test APIs for the first time, while building a security program that can scale across the engineering org. The team has overcome tooling gaps and is able to augment its existing security testing program with automated DAST scans in CI/CD. As the security team progresses its rollout throughout the engineering org, they look forward to finding vulnerabilities before they hit production, tackling harder security challenges, and working in a consultative role with developers.
What’s nice about [StackHawk], is that it runs in a container, so I don't need to setup anything other than Docker. It runs on the developer laptops, and then we can also quickly run it in CI pipelines.
VP of Enterprise Security | DataRobot
Ready For More?
Read the Docs
Get up and running in less than an hour. Build the config file and then $ docker run hawkscan to find your security bugs.
Find and fix application security bugs before they hit production. Build your config and run your first scan in less than 15 minutes.