Use Case

Making security part of the developer workflow

Industry

Health Care Technology

Company

One Medical

Location

San Francisco, USA

HAWKSOME CUSTOMER SUCCESS STORY

One Medical Automates

Application Security Testing

with StackHawk

BACKGROUND

One Medical had a legacy DAST solution in place but was unhappy with the quality of the findings and the manual processes it required. With the previous DAST tool used by One Medical, the security team had 3 engineers who each spent roughly 3-5 hours per finding, processing and reporting the results. Results did not include information to replicate the finding, so the security team would have to add tickets into Jira and then work with engineers to determine if it is a real ticket.

The team needed a way to scale application security through the engineering team, equipping developers with automated security testing and self-service remediations.

We wanted a tool that offers the capability for developers to get involved in application security so they triage issues themselves. StackHawk was the only one that met these criteria.

THE PROBLEM

Unable to scale application security through engineering team, unhappy with quality of findings and manual processes with legacy DAST solution.

THE SOLUTION

Selected StackHawk as their DAST platform of choice for improved scan coverage for modern applications, features that enabled developer self-service, and automation and integration capabilities.

THE RESULTS

Efficient and more secure engineering processes to confidently push code to production without introducing security risk.

CHOOSING A SOLUTION

As the application security team started evaluating DAST solutions, they first looked at the Gartner Magic Quadrant, selecting 12 vendors that they would evaluate. As a newer solution to the market, StackHawk was added to the list as a wildcard. Then, the team built the evaluation criteria, which included a list of the ideal features they would like to see in the tool.

Their evaluation criteria included functionality such as:

Simplified Configuration: Onboarding users with SSO, adding new services/applications for testing, and setting up programmatic testing all must be straightforward.

Integrations: Tying in with the rest of the tooling stack of both the engineering and security teams is important for tool adoption and efficacy.

Scanning Coverage: Ability to test for both browser and API-based vulnerabilities with support for REST APIs via OpenAPI specification and GraphQL APIs.

Scan Findings: Reproducible findings with clear request and response payloads.

Audit and Usage: Clear logging of actions that were taken.

EXPERIENCE WITH STACKHAWK

The engineering team at One Medical is excited about owning security testing and having it automated within the build process. This sort of testing is already in the ballpark of what they work on, with similarities to integration testing. The developers who worked on instrumenting StackHawk found the platform to be simple to get up and running, citing StackHawk’s documentation as helpful. And when it comes to using the tool for findings, it has been described as “easy and painless.”

With automated security testing in CI/CD, there are tremendous efficiency gains for both the security and the engineering teams. Security engineers no longer are required to manually review findings and engineers are not pulled away from their core work to determine if a scan finding is a true vulnerability. Instead, the developer who is working on the code will be alerted at the code commit or the pull request if they have introduced a new vulnerability.

Not only will engineering processes be more efficient and secure, but these changes have enabled the application security team to expand its focus. The team has a custom-built security automation platform that they will be able to devote more time to, and they also plan to spend more time improving internal training.

The process of scanning the application and integrating with CircleCI was super easy...With StackHawk's CircleCI Orb, teams can quickly add an application security test to the build pipeline, ensuring visibility to any newly added vulnerabilities before the application is in production.

About One Medical

One Medical is a technology-enabled healthcare solution that provides a reimagined version of primary care via provider video chat, in-app communications, and an application for patients to see medical records.

SHIP SECURE

SOFTWARE FASTER!

Ready for More?

Read the Docs

Get up and running in less than an hour. Build the config file and then $ docker run hawkscan to find your security bugs.

Read the Docs

Get Started

Find and fix application security bugs before they hit production. Build your config and run your first scan in less than 15 minutes.

Get Started

Request a Demo

If you are interested in seeing the StackHawk platform in action, schedule time with our team for a live demo.

Request a Demo

BLOG

How Does StackHawk Work?

Explore Stackhawk

Watch a Demo

Getting Started

Getting Started

Modern DAST

Getting Started With AppSec

DevSecOps

API Security Testing

Developer-First AppSec

OWASP Top 10

GraphQL Security Testing

gRPC Security Testing

Integrate with your existing tools and workflows

Snyk

GitHub

AWS

Atlassian

Our Hawksome Customers

StackHawk + GitHub

Getting Started

StackHawk API

Integrations

StackHawk Platform

Authentication

BLOG

Dynamic Application Security Testing: Overview and Tooling

About

Watch a Demo

Blog

Getting Started

Press Room

Zap Fund

One Medical Automates

Application Security Testing

with StackHawk

BACKGROUND

CHOOSING A SOLUTION

About One Medical

SHIP SECURE

SOFTWARE FASTER!

Ready for More?