StackHawk

My main use case for StackHawk is primarily as a PCI requirement for DAST.

As a quick specific example of how I use StackHawk for that PCI requirement, it is one of the controls that sits alongside the requirement to have SAST. I deployed StackHawk and Snyk because those two products were easily integrated and therefore providing a unified view of vulnerabilities that existed either during the CI/CD process or running live.

The best features StackHawk offers are, most importantly, its ability to report any issues that may exist with code running live. The integration with Snyk provides a more holistic, complete picture of issues in the entire life cycle of the web application.

An example of how getting a holistic picture of issues across the life cycle has helped my team is related to both StackHawk and Snyk because they were basically joined at the hip. Prior to the PCI requirements, there was not a lot of interest in automating the analysis of code that was being developed. Code was being scrubbed for vulnerabilities by humans, which is frankly impractical. You cannot go through either a few thousand or a few million lines of code and expect a human to find vulnerabilities because they are biased. That would be asking a lot based on the sheer volume of data and expecting people to identify vulnerabilities is completely impractical.

Outside of getting StackHawk connected to websites, which was fairly painless, I have no additional features that stand out to me besides the integration and reporting. StackHawk has positively impacted my organization by introducing an automated process that did not exist previously, and it helped the company achieve PCI certification.

I cannot think of anything I would add to StackHawk, with the possible exception of adding any additional code bases that might be out there. I am thinking about a situation where a company might be in mergers and acquisitions mode and they onboard a company that has developed an application in a code base that is not covered by StackHawk, which would introduce some inefficiency and possible compliance difficulties. It would be great if StackHawk were continuously adding more and more languages and integrations.

On a scale of one to ten, I would rate StackHawk an eight, only because I wish the product was a little less expensive. It also is running into direct competition with Snyk, as they did an acquisition of another DAST company, and they should be sensitive to that and possibly offer a discount for current users because it would be under consideration to move to Snyk and reduce complexity even if it was by a little bit.

I have been using StackHawk for a little over a year.

The advice I would give to others looking into using StackHawk is that the integration with Snyk was impressive. You would also consider just using Snyk and the DAST that they onboarded over the past year.

StackHawk is deployed in my organization in the public cloud using the configuration on their site.

I use AWS as my cloud provider.

I rate this product an eight out of ten.

Public Cloud

Amazon Web Services (AWS)

What do you like best about the product?

Stachawk efficiently performed a comprehensive security assessment, identifying potential issues such as SQL injection, XSS, and security misconfigurations. The detailed reports provided clear insights into each vulnerability, along with recommendations for remediation.

Another key feature was its ability to adapt to different environments, making it a versatile solution for both black-box and white-box testing scenarios.

What do you dislike about the product?

A learning path should be added to help users maximize the potential of Stachawk. While the tool is powerful and intuitive, a structured learning path would provide step-by-step guidance on configuring scans, interpreting results, and implementing security best practices.

What problems is the product solving and how is that benefiting you?

Stachawk addresses the need for a DAST scanner that supports ethical hacking, enables early vulnerability detection, and enhances secure development practices. By automating security assessments, it allows cybersecurity professionals and development teams to identify weaknesses in web applications before they can be exploited. Its capabilities facilitate proactive security testing, helping organizations integrate security into their SDLC (Software Development Life Cycle) and adopt a shift-left approach. With Stachawk, teams can strengthen their security posture while ensuring compliance with industry standards and best practices.

What do you like best about the product?

Its scanning capabilities and easy integration into our CI/CD pipelines

What do you dislike about the product?

Simplified documentation for the yml specs. I have to search all over and go through a ton of trial and error when it comes time to setup configurations for stackhawk.

What problems is the product solving and how is that benefiting you?

We needed DAST and it provides that to us

What do you like best about the product?

We have recently partnered with StackHawk for dynamic security code scanning and the product has been fantastic. StackHawk has many methods for performing code scanning tests which have been helpful for our development team. But I want to mention that perhaps the greatest thing about StackHawk has been their employees and the support they provide. (Most big software manufacturers sort of drop you off the deep end of the pool and disappear.) I will say that the customer on-boarding we had from StackHawk and their professionals was one of the best I've seen in my long career. They have a bunch of experts who are friendly and will assist you in getting the tools set up, explaining all of the features and options, and there to assist when you need help. I'd like to extend my genuine thanks to all at StackHawk for making our security program better and being a great partner.

What do you dislike about the product?

I do not have any dislikes regarding StackHawk.

What problems is the product solving and how is that benefiting you?

We had been using tools from larger software vendors, but they were becoming less effective and their value was declining over time (compared to the ever increasing costs). We looked around this crowded vendor space and reviewed several solutions for code scanning, API scanning, etc. We found that StackHawk was quite easy to set up and integrate. We also found that their staff and support were top notch.

What do you like best about the product?

I like the ability to configure the YAML file centrally. I like the integrations that are available as well.

What do you dislike about the product?

The configs of the YAML file and authenticated scans can be frustrating.

What problems is the product solving and how is that benefiting you?

Scan apps pushed to staging in the pipeline

What do you like best about the product?

The StackHawk team achieves what seems impossible.

What do you dislike about the product?

The path was not very clear as we embarked on the beginning of our journey.

What problems is the product solving and how is that benefiting you?

We want to address all the security weaknesses in our microservices, and StackHawk has allowed us to gain visibility into issues that we cannot test in other quality gates.

What do you like best about the product?

The onboarding of application.
Vendor customer support.
API files scanning.
Easy to use and implementation and DevSecOps CI/CD integration
The dashboard results...
Attack Surface utilization... etc.,

What do you dislike about the product?

To onboard each application why should we have to involve each application POC to write their extra files to configure into the system. Here its lagging time to pass KT to each application POC to come up with their config Yaml file.

What problems is the product solving and how is that benefiting you?

As of now we have onboarded few of our client applications to the Stack Hawk and seeing good results and using those results to implement more security with the help of Dev Teams to remediate the security vulnerabilities.

What do you like best about the product?

Its configurable nature and diverse integration option. And the very supportive customer support team who value the feedback and make sure changes are reflected in upcoming releases.

What do you dislike about the product?

The limitation of being able to use with only internet accessible surface and limitation on on-prem usage. Additionally, lack of granular roles to avoid accendential deletion of scan and scan result by a unaware user.

What problems is the product solving and how is that benefiting you?

Helping us streamline our secure development initiative

What do you like best about the product?

StackHawk is an efficient and developer-friendly tool for application security testing. One of its standout features is the easy integration with CI/CD pipelines, making it straightforward to incorporate into existing development workflows. Additionally, the scan times are quick, allowing teams to identify and address security vulnerabilities without significant delays to deployment.

What do you dislike about the product?

if would be great if you guys provide score card & PDF report on email so that we can easily share with other prople higher managment

What problems is the product solving and how is that benefiting you?

mainly it highlightes the security flaws and outdated software recomondations

What do you like best about the product?

The dev team found it fairl simple to get their codebase/apps (Python, BitBucket, Jenkins, Jira) integrated... we had a volunteer who went through the process & provide steps so the rest could cookie-cutter it.

What do you dislike about the product?

I am not a coder - I'm on the InfoSec side of the house. So my take about SH relates to the admin portal & reporting... both of which of very good. It was easy to invite devs to the portal & the reports provide info that I use to relay for compliance/security work.

What problems is the product solving and how is that benefiting you?

It does a few things for us:

1. Adds a DAST function that automates discovery of vulns. Previously done by humans - not ideal.
2. Help us to create a DevSecOps culture. We are pairing this with Snyk to have a soup-to-nuts CI/CD analysis.
3. Both 1&2 help us meet GRC requirements. Code-development has become a focus for more than a few compliance/privacy rules.