Semgrep
GitHub
Snyk
AWS
Microsoft
StackHawk Platform
API Attack Surface Discovery
Runtime Application Security Testing
Application Security Oversight
Integrations
Modern DAST
Shift-Left API Security Testing
Code-Based Sensitive Data Detection
gRPC Security Testing
GraphQL Security Testing
Healthcare
FinServ
Docs
Technical Blogs
Getting Started
Watch a Demo
Blog
Shift-Left Maturity Model
All Resources
Customers
Partners
Contact
Careers
NewsCustomer Success Story
How ITV Automated API Security at Scale:
Increasing Coverage by 136% with StackHawk’s OpenAPI Spec Generation
Instant Security Testing
Increased Security Testing Coverage
Fully Automated Process
Use Case
Open API Spec Generation
Industry
Entertainment and Media
Company
ITV
Location
UK
The Challenge: Missing API Specifications Block Security Testing
This reality at ITV mirrors what many large organizations experience: API documentation is low on developers’ priority list, competing with building and shipping features. Without accurate, up-to-date OpenAPI specifications, security testing becomes either impossible or severely limited in scope and effectiveness. Even when developer-provided specs exist, they quickly become outdated as APIs evolve, leaving security testing based on stale documentation.
This creates a misalignment of priorities: security teams need accurate specs to test APIs effectively, but asking developers to create and maintain specifications for hundreds of applications is unrealistic and unsustainable at the modern pace of development.
The goal for ITV was more than just getting additional applications under test—it was doing so systematically and at scale without requiring massive manual effort to create and maintain API specifications for every service.
The Problem
ITV operated hundreds of applications and APIs, but many applications lacked the API documentation needed for test coverage. Without accurate OpenAPI specifications, security testing became impossible or severely limited.
The Solution
ITV implemented StackHawk’s AI-powered OpenAPI Spec Generation to automatically create accurate specifications from source code analysis. They combined this with custom automated onboarding that generates pull requests with complete StackHawk configurations.
The Results
ITV achieved a 136% increase in applications under active security testing through a fully automated process. The solution expands continuously as new applications are developed, enabling comprehensive API security testing at enterprise scale.
The Solution: Automated Onboarding Meets Intelligent Spec Generation
ITV’s approach combines StackHawk’s OpenAPI Spec Generationwith custom automation to create a self-sustaining pipeline that brings new and existing applications under security testing.
StackHawk’s AI-Powered OpenAPI Spec Generation
The process works in three steps:
- Source Code Based API Discovery: StackHawk connects to code repositories and performs deep structural analysis, identifying API endpoints, routing patterns, data models, and authentication flows across your codebase.
- AI-Powered Spec Creation: Advanced language models transform code analysis into accurate OpenAPI specifications that reflect your API’s actual behavior, capturing parameter validation rules, response schemas, authentication requirements, and error-handling patterns.
- Immediate Testing Integration: Generated specifications feed directly into StackHawk’s testing engine, enabling security testing within minutes of discovery. The entire process from source code to first security scan typically completes in under 15 minutes.
ITV’s Automated Onboarding Pipeline
ITV created an automated onboarding system that streamlines the process of getting applications under security testing.
ITV’s automated onboarding process works by examining their applications and leveraging StackHawk’s OpenAPI Spec Generation capabilities. For applications deployed using standardized frameworks with required ITV YAML files in repositories and Terraform configurations, the system can automatically correlate deployment information and determine testing readiness.
For organizations inspired by ITV’s success, here are some key components of their approach:
1. Standardized Infrastructure Patterns
ITV leveraged their existing standardization efforts:
- Required YAML files in repositories and Terraform configurations
- Consistent deployment frameworks for a portion of applications
- Structured metadata that automation can parse and understand
2. Automated Onboarding Logic
Built automation that:
- Examines all repositories programmatically
- Checks for OpenAPI specs generated by StackHawk
- Identifies applications ready for automated testing setup
- Correlates repository data with deployment information
- Automatically generates StackHawk configuration
3. Pull Request Automation
Created a system that:
- Generates pull requests with StackHawk configuration
- Includes proper testing setup for each application
- Allows development teams to review and merge with minimal friction
- Scales automatically as new applications become testable
4. Integration with StackHawk’s OpenAPI Spec Generation
Leveraged StackHawk’s AI-powered spec generation to:
- Eliminate manual API documentation requirements
- Enable immediate testing without configuration overhead
- Create valuable organizational assets beyond security testing
- Support continuous expansion as new frameworks are added
The Results: 136% Increase in Applications Under Security Testing
The combination of automated onboarding and OpenAPI Spec Generation delivered immediate, measurable results:
Quantifiable Impact
- 136% increase in applications under active security testing
- Fully automated process requiring no manual configuration per application
- Continuous expansion as new frameworks are supported
Key Success Factors
Dedicated Security Engineering Resources
ITV benefits from having a dedicated security engineering team capable of building sophisticated automation. This investment in security engineering capabilities enables true shift-left security by automating DAST directly into developer workflows.
Embracing Automation and Scale
ITV’s culture of thinking at scale enabled them to invest in automation rather than manual processes that don’t scale with organizational growth.
Leveraging Existing Standards
Rather than creating entirely new processes, ITV built on existing infrastructure standards and deployment patterns.
The Bottom Line
ITV’s success demonstrates that OpenAPI Spec Generation becomes a transformative capability when combined with thoughtful automation. For security teams struggling to bridge the gap between application growth and security coverage, ITV’s approach provides a blueprint for comprehensive security testing at enterprise scale.
Thanks to StackHawk’s OpenAPI Spec Generation and robust APIs, we are onboarding applications into our DAST program at an unprecedented speed. Critically, we’ve been able to do this without requiring any changes from our developers, which perfectly aligns with the ‘invisible and immutable controls’ principle we aim to adopt at ITV.
Mikey Carr, Lead Security Engineer
Explore Our Customer Stories
Public Benefit Corporation
Change.org needed a way to improve their security posture and effectively protect their platform and users at scale.
Health Tech
A healthtech company boosted security with StackHawk for API discovery and automated CI/CD security testing, to improve efficiencies while reducing risk.
Financial Services
Learn how one FinTech Leader deployed StackHawk to secure its Fortune 100 customers, prioritizing a shift-left and continuously secure model over just box checking for compliance requirements.
Interested in seeing StackHawk at work?
Schedule time with our team for a live demo.
See StackHawk in Action
Schedule a 30-minute live product demo with expert Q&A
Get a Demo – NEW
"*" indicates required fields
For more information about how StackHawk handles your personal data, please see our Privacy Policy.