Use Case
Making security part of the developer workflow
Industry
Health Care Technology
Company
One Medical
Location
San Francisco, USA
AWESOME CUSTOMER SUCCESS STORY
One Medical Automates
Application Security Testing
with StackHawk
BACKGROUND
One Medical had a legacy DAST solution in place but was unhappy with the quality of the findings and the manual processes it required. With the previous DAST tool used by One Medical, the security team had 3 engineers who each spent roughly 3-5 hours per finding, processing and reporting the results. Results did not include information to replicate the finding, so the security team would have to add tickets into Jira and then work with engineers to determine if it is a real ticket.
The team needed a way to scale application security through the engineering team, equipping developers with automated security testing and self-service remediations.
CHOOSING A SOLUTION
As the application security team started evaluating DAST solutions, they first looked at the Gartner Magic Quadrant, selecting 12 vendors that they would evaluate. As a newer solution to the market, StackHawk was added to the list as a wildcard. Then, the team built the evaluation criteria, which included a list of the ideal features they would like to see in the tool.
Their evaluation criteria included functionality such as:
Simplified Configuration: Onboarding users with SSO, adding new services/applications for testing, and setting up programmatic testing all must be straightforward.
Integrations: Tying in with the rest of the tooling stack of both the engineering and security teams is important for tool adoption and efficacy.
Scanning Coverage: Ability to test for both browser and API-based vulnerabilities with support for REST APIs via OpenAPI specification and GraphQL APIs.
Scan Findings: Reproducible findings with clear request and response payloads.
Audit and Usage: Clear logging of actions that were taken.
EXPERIENCE WITH STACKHAWK
The engineering team at One Medical is excited about owning security testing and having it automated within the build process. This sort of testing is already in the ballpark of what they work on, with similarities to integration testing. The developers who worked on instrumenting StackHawk found the platform to be simple to get up and running, citing StackHawk’s documentation as helpful. And when it comes to using the tool for findings, it has been described as “easy and painless.”
With automated security testing in CI/CD, there are tremendous efficiency gains for both the security and the engineering teams. Security engineers no longer are required to manually review findings and engineers are not pulled away from their core work to determine if a scan finding is a true vulnerability. Instead, the developer who is working on the code will be alerted at the code commit or the pull request if they have introduced a new vulnerability.
Not only will engineering processes be more efficient and secure, but these changes have enabled the application security team to expand its focus. The team has a custom-built security automation platform that they will be able to devote more time to, and they also plan to spend more time improving internal training.
About One Medical
One Medical is a technology-enabled healthcare solution that provides a reimagined version of primary care via provider video chat, in-app communications, and an application for patients to see medical records.
Get Hands-On Experience
Give Us A Test Drive!
Take control of your AppSec program with StackHawk. Discover, Test, and gain Continuous Oversight. Get started!