StackHawk

My main use case for StackHawk is to analyze our application live in our EKS cluster.

A specific example of how we use StackHawk in our EKS cluster is that we deployed an agent authenticated to the StackHawk platform and it is in charge of analyzing our different repositories, letting us know if we have any open vulnerabilities within our base code. Every scenario of analysis is completely published into the StackHawk platform so we can see if we have open vulnerabilities to solve and how much time it takes to perform the analysis.

The best feature StackHawk offers is called Attack Surface, which is a way of letting us know what repositories that we have hosted in any repository system have a surface attack, and in that case, we integrate the platform into StackHawk, then they let us know the application code base and how we have to integrate it and easily set up the application.

The Attack Surface feature has helped our team by having an inventory of our repositories and which of them have a surface attack.

StackHawk has positively impacted my organization by giving us a new vision of how vulnerabilities were seen, as we now have more visibility in that matter. We now take care of not just the static analysis and the composition analysis, but the dynamic analysis. When our microservices are running, we do have a vision of how it performs, and it also lets us know if we have any open vulnerabilities so we can close them.

Since we started using StackHawk, we've seen reports on different vulnerabilities that we have in our current microservices within the cluster, so now we have a wide vision and a wide perspective, and also we have new ideas about what we need to do. We also have similar microservices, so most of them are common errors and now we are closing up that gap of vulnerabilities.

StackHawk can be improved in the way that it is integrated, as at the very beginning, the idea was to, within the pipeline, mount the different resources that our microservices needed to start to run. For example, if we have a service that needed Redis, maybe Kafka, or a database to initialize, we did need to have a Docker Compose file, get up those services, and after that, do the analysis. It didn't have that; it wasn't reachable at the very beginning and it wasn't that good as we expected. But at some point, we decided to mount it as an agent in the Docker file, and it was waiting for new jobs. It was even better, and when we figured out how to integrate it within our EKS cluster, suddenly we started reaching to the services, knowing what was going on, and everything related to security. As long as we have a P2T to our QA site or cluster, we do not have garbage in our databases, but StackHawk does put a little information, a garbage information, doing their job.

That's the main area I'm focusing on right now regarding needed improvements.

I've been using StackHawk for almost a year.

StackHawk is stable.

Regarding StackHawk's scalability, I don't have a clear vision about how scalable it is, but we can use it in every microservice that we have, and we have almost 300 microservices and all of them can be analyzed within the cluster with our agent.

The customer support was amazing; every time they could, they brought a Spanish translator, so the communication was really smooth. I would rate the customer support ten out of ten.

I didn't previously use a different solution for dynamic analysis.

Regarding my experience with pricing, setup cost, and licensing, I'm not sure about pricing since I wasn't part of the team that got the application. The setup cost was actually really cheap; I hosted a self-runner with an image based on the StackHawk one, so it was really cheap and easy. I want to emphasize that I was not part of the pricing details and I'm also not sure about what kind of license we have.

I was just in charge of implementing StackHawk, and I'm actually not part of the security team, so I cannot measure its accuracy and reliability.

Since we started using StackHawk, we've seen reports on different vulnerabilities that we have in our current microservices within the cluster, so now we have a wide vision and a wide perspective, and also we have new ideas about what we need to do. We also have similar microservices, so most of them are common errors and now we are closing up that gap of vulnerabilities.

Actually, I cannot say that we have seen a return on investment, as we've been using it recently and the company hasn't adopted it with all the services, so there isn't any measurement about that. Also, at the very beginning, we were just working with two engineers, and now we have maybe just one, but I don't know, it's complicated.

Actually, I cannot say that we have seen a return on investment, as we've been using it recently and the company hasn't adopted it with all the services, so there isn't any measurement about that. Also, at the very beginning, we were just working with two engineers, and now we have maybe just one, but I don't know, it's complicated.

The setup cost was actually really cheap; I hosted a self-runner with an image based on the StackHawk one, so it was really cheap and easy.

We did not evaluate other options before choosing StackHawk; we went straightforward to it.

I don't actually have a clear perspective on StackHawk's AI capabilities regarding its governance and security.

My advice to others looking into using StackHawk is to stay prepared. Document how your architecture works, whether you have decoupled services or not. Based on that, it will be easier or not to use the application. In our case, we had to deploy an agent within our cluster and that was the only way we could analyze our microservices. So be prepared, especially technically, because they can help a lot in different areas, but you're the owner of your own infrastructure, so it relies on you how you're going to implement the solution.

My overall rating for this review is seven out of ten.

Public Cloud

Amazon Web Services (AWS)

My main use case for StackHawk is primarily as a PCI requirement for DAST.

As a quick specific example of how I use StackHawk for that PCI requirement, it is one of the controls that sits alongside the requirement to have SAST. I deployed StackHawk and Snyk because those two products were easily integrated and therefore providing a unified view of vulnerabilities that existed either during the CI/CD process or running live.

The best features StackHawk offers are, most importantly, its ability to report any issues that may exist with code running live. The integration with Snyk provides a more holistic, complete picture of issues in the entire life cycle of the web application.

An example of how getting a holistic picture of issues across the life cycle has helped my team is related to both StackHawk and Snyk because they were basically joined at the hip. Prior to the PCI requirements, there was not a lot of interest in automating the analysis of code that was being developed. Code was being scrubbed for vulnerabilities by humans, which is frankly impractical. You cannot go through either a few thousand or a few million lines of code and expect a human to find vulnerabilities because they are biased. That would be asking a lot based on the sheer volume of data and expecting people to identify vulnerabilities is completely impractical.

Outside of getting StackHawk connected to websites, which was fairly painless, I have no additional features that stand out to me besides the integration and reporting. StackHawk has positively impacted my organization by introducing an automated process that did not exist previously, and it helped the company achieve PCI certification.

I cannot think of anything I would add to StackHawk, with the possible exception of adding any additional code bases that might be out there. I am thinking about a situation where a company might be in mergers and acquisitions mode and they onboard a company that has developed an application in a code base that is not covered by StackHawk, which would introduce some inefficiency and possible compliance difficulties. It would be great if StackHawk were continuously adding more and more languages and integrations.

On a scale of one to ten, I would rate StackHawk an eight, only because I wish the product was a little less expensive. It also is running into direct competition with Snyk, as they did an acquisition of another DAST company, and they should be sensitive to that and possibly offer a discount for current users because it would be under consideration to move to Snyk and reduce complexity even if it was by a little bit.

I have been using StackHawk for a little over a year.

The advice I would give to others looking into using StackHawk is that the integration with Snyk was impressive. You would also consider just using Snyk and the DAST that they onboarded over the past year.

StackHawk is deployed in my organization in the public cloud using the configuration on their site.

I use AWS as my cloud provider.

I rate this product an eight out of ten.

Public Cloud

Amazon Web Services (AWS)

What do you like best about the product?

Stachawk efficiently performed a comprehensive security assessment, identifying potential issues such as SQL injection, XSS, and security misconfigurations. The detailed reports provided clear insights into each vulnerability, along with recommendations for remediation.

Another key feature was its ability to adapt to different environments, making it a versatile solution for both black-box and white-box testing scenarios.

What do you dislike about the product?

A learning path should be added to help users maximize the potential of Stachawk. While the tool is powerful and intuitive, a structured learning path would provide step-by-step guidance on configuring scans, interpreting results, and implementing security best practices.

What problems is the product solving and how is that benefiting you?

Stachawk addresses the need for a DAST scanner that supports ethical hacking, enables early vulnerability detection, and enhances secure development practices. By automating security assessments, it allows cybersecurity professionals and development teams to identify weaknesses in web applications before they can be exploited. Its capabilities facilitate proactive security testing, helping organizations integrate security into their SDLC (Software Development Life Cycle) and adopt a shift-left approach. With Stachawk, teams can strengthen their security posture while ensuring compliance with industry standards and best practices.

What do you like best about the product?

Its scanning capabilities and easy integration into our CI/CD pipelines

What do you dislike about the product?

Simplified documentation for the yml specs. I have to search all over and go through a ton of trial and error when it comes time to setup configurations for stackhawk.

What problems is the product solving and how is that benefiting you?

We needed DAST and it provides that to us

What do you like best about the product?

We have recently partnered with StackHawk for dynamic security code scanning and the product has been fantastic. StackHawk has many methods for performing code scanning tests which have been helpful for our development team. But I want to mention that perhaps the greatest thing about StackHawk has been their employees and the support they provide. (Most big software manufacturers sort of drop you off the deep end of the pool and disappear.) I will say that the customer on-boarding we had from StackHawk and their professionals was one of the best I've seen in my long career. They have a bunch of experts who are friendly and will assist you in getting the tools set up, explaining all of the features and options, and there to assist when you need help. I'd like to extend my genuine thanks to all at StackHawk for making our security program better and being a great partner.

What do you dislike about the product?

I do not have any dislikes regarding StackHawk.

What problems is the product solving and how is that benefiting you?

We had been using tools from larger software vendors, but they were becoming less effective and their value was declining over time (compared to the ever increasing costs). We looked around this crowded vendor space and reviewed several solutions for code scanning, API scanning, etc. We found that StackHawk was quite easy to set up and integrate. We also found that their staff and support were top notch.

What do you like best about the product?

I like the ability to configure the YAML file centrally. I like the integrations that are available as well.

What do you dislike about the product?

The configs of the YAML file and authenticated scans can be frustrating.

What problems is the product solving and how is that benefiting you?

Scan apps pushed to staging in the pipeline

What do you like best about the product?

The StackHawk team achieves what seems impossible.

What do you dislike about the product?

The path was not very clear as we embarked on the beginning of our journey.

What problems is the product solving and how is that benefiting you?

We want to address all the security weaknesses in our microservices, and StackHawk has allowed us to gain visibility into issues that we cannot test in other quality gates.

What do you like best about the product?

The onboarding of application.
Vendor customer support.
API files scanning.
Easy to use and implementation and DevSecOps CI/CD integration
The dashboard results...
Attack Surface utilization... etc.,

What do you dislike about the product?

To onboard each application why should we have to involve each application POC to write their extra files to configure into the system. Here its lagging time to pass KT to each application POC to come up with their config Yaml file.

What problems is the product solving and how is that benefiting you?

As of now we have onboarded few of our client applications to the Stack Hawk and seeing good results and using those results to implement more security with the help of Dev Teams to remediate the security vulnerabilities.

What do you like best about the product?

Its configurable nature and diverse integration option. And the very supportive customer support team who value the feedback and make sure changes are reflected in upcoming releases.

What do you dislike about the product?

The limitation of being able to use with only internet accessible surface and limitation on on-prem usage. Additionally, lack of granular roles to avoid accendential deletion of scan and scan result by a unaware user.

What problems is the product solving and how is that benefiting you?

Helping us streamline our secure development initiative

What do you like best about the product?

StackHawk is an efficient and developer-friendly tool for application security testing. One of its standout features is the easy integration with CI/CD pipelines, making it straightforward to incorporate into existing development workflows. Additionally, the scan times are quick, allowing teams to identify and address security vulnerabilities without significant delays to deployment.

What do you dislike about the product?

if would be great if you guys provide score card & PDF report on email so that we can easily share with other prople higher managment

What problems is the product solving and how is that benefiting you?

mainly it highlightes the security flaws and outdated software recomondations