CHOOSING A SOLUTION
As the application security team started evaluating DAST solutions, they first looked at the Gartner Magic Quadrant, selecting 12 vendors that they would evaluate. As a newer solution to the market, StackHawk was added to the list as a wildcard. Then, the team built the evaluation criteria, which included a list of the ideal features they would like to see in the tool.
Their evaluation criteria included functionality such as:
Simplified Configuration: Onboarding users with SSO, adding new services/applications for testing, and setting up programmatic testing all must be straightforward.
Integrations: Tying in with the rest of the tooling stack of both the engineering and security teams is important for tool adoption and efficacy.
Scanning Coverage: Ability to test for both browser and API-based vulnerabilities with support for REST APIs via OpenAPI specification and GraphQL APIs.
Scan Findings: Reproducible findings with clear request and response payloads.
Audit and Usage: Clear logging of actions that were taken.
EXPERIENCE WITH STACKHAWK
The engineering team at One Medical is excited about owning security testing and having it automated within the build process. This sort of testing is already in the ballpark of what they work on, with similarities to integration testing. The developers who worked on instrumenting StackHawk found the platform to be simple to get up and running, citing StackHawk’s documentation as helpful. And when it comes to using the tool for findings, it has been described as “easy and painless.”
With automated security testing in CI/CD, there are tremendous efficiency gains for both the security and the engineering teams. Security engineers no longer are required to manually review findings and engineers are not pulled away from their core work to determine if a scan finding is a true vulnerability. Instead, the developer who is working on the code will be alerted at the code commit or the pull request if they have introduced a new vulnerability.
Not only will engineering processes be more efficient and secure, but these changes have enabled the application security team to expand its focus. The team has a custom-built security automation platform that they will be able to devote more time to, and they also plan to spend more time improving internal training.