alternativeText

Use Case

Making security part of the developer workflow


Industry

Health Care Technology


Company

One Medical


Location

San Francisco, USA

HAWKSOME CUSTOMER SUCCESS STORY

One Medical Automates

Application Security Testing

with StackHawk

BACKGROUND

One Medical had a legacy DAST solution in place but was unhappy with the quality of the findings and the manual processes it required. With the previous DAST tool used by One Medical, the security team had 3 engineers who each spent roughly 3-5 hours per finding, processing and reporting the results. Results did not include information to replicate the finding, so the security team would have to add tickets into Jira and then work with engineers to determine if it is a real ticket.

The team needed a way to scale application security through the engineering team, equipping developers with automated security testing and self-service remediations.

Left Quote
We wanted a tool that offers the capability for developers to get involved in application security so they triage issues themselves. StackHawk was the only one that met these criteria.
Right Quote
THE PROBLEM
THE PROBLEM

Unable to scale application security through engineering team, unhappy with quality of findings and manual processes with legacy DAST solution. 

THE SOLUTION
THE SOLUTION

Selected StackHawk as their DAST platform of choice for improved scan coverage for modern applications, features that enabled developer self-service, and automation and integration capabilities. 

THE RESULTS
THE RESULTS

Efficient and more secure engineering processes to confidently push code to production without introducing security risk.

CHOOSING A SOLUTION

As the application security team started evaluating DAST solutions, they first looked at the Gartner Magic Quadrant, selecting 12 vendors that they would evaluate. As a newer solution to the market, StackHawk was added to the list as a wildcard. Then, the team built the evaluation criteria, which included a list of the ideal features they would like to see in the tool.

Their evaluation criteria included functionality such as:

  • Simplified Configuration: Onboarding users with SSO, adding new services/applications for testing, and setting up programmatic testing all must be straightforward.

  • Integrations: Tying in with the rest of the tooling stack of both the engineering and security teams is important for tool adoption and efficacy. 

  • Scanning Coverage: Ability to test for both browser and API-based vulnerabilities with support for REST APIs via OpenAPI specification and GraphQL APIs.

  • Scan Findings: Reproducible findings with clear request and response payloads. 

  • Audit and Usage: Clear logging of actions that were taken.

image

EXPERIENCE WITH STACKHAWK

The engineering team at One Medical is excited about owning security testing and having it automated within the build process. This sort of testing is already in the ballpark of what they work on, with similarities to integration testing. The developers who worked on instrumenting StackHawk found the platform to be simple to get up and running, citing StackHawk’s documentation as helpful. And when it comes to using the tool for findings, it has been described as “easy and painless.”

With automated security testing in CI/CD, there are tremendous efficiency gains for both the security and the engineering teams. Security engineers no longer are required to manually review findings and engineers are not pulled away from their core work to determine if a scan finding is a true vulnerability. Instead, the developer who is working on the code will be alerted at the code commit or the pull request if they have introduced a new vulnerability. 

Not only will engineering processes be more efficient and secure, but these changes have enabled the application security team to expand its focus. The team has a custom-built security automation platform that they will be able to devote more time to, and they also plan to spend more time improving internal training.

Left Quote
The process of scanning the application and integrating with CircleCI was super easy...With StackHawk's CircleCI Orb, teams can quickly add an application security test to the build pipeline, ensuring visibility to any newly added vulnerabilities before the application is in production.
Right Quote
alternativeText

About One Medical

One Medical is a technology-enabled healthcare solution that provides a reimagined version of primary care via provider video chat, in-app communications, and an application for patients to see medical records.

SHIP SECURE

SOFTWARE FASTER!

Ready for More?

Read the Docs
Read the Docs

Get up and running in less than an hour. Build the config file and then $ docker run hawkscan to find your security bugs.

Read the Docs
Get Started
Get Started

Find and fix application security bugs before they hit production. Build your config and run your first scan in less than 15 minutes.

Get Started
Request a Demo
Request a Demo

If you are interested in seeing the StackHawk platform in action, schedule time with our team for a live demo.

Request a Demo