Reviews from AWS Marketplace
0 AWS reviews
-
5 star0
-
4 star0
-
3 star0
-
2 star0
-
1 star0
External reviews
External reviews are not included in the AWS star rating for the product.
Shift Left on Security with Stackhawk
What do you like best about the product?
Stackhawk is extremely simple to set up. The user interface, documentation, and examples really pave the way for a successful implementation.
What do you dislike about the product?
I don't have anything to list as a dislike at the moment. Everything is working as expected.
What problems is the product solving and how is that benefiting you?
Our team is focusing on strengthening our security posture. Automated DAST scanning on our pull requests was a piece of the puzzle Stackhawk solved.
- Leave a Comment |
- Mark review as helpful
A good DAST Tool, easy to integrate in your CI pipeline
What do you like best about the product?
- A good knowledgeable and strong support and account team.
- Easy to integrate with the existing CI pipeline.
- Did a good job of reducing our vulnerabilities.
- A great UI to review.
- Easy to integrate with the existing CI pipeline.
- Did a good job of reducing our vulnerabilities.
- A great UI to review.
What do you dislike about the product?
- Needs better notification and improvements to the notifications.
- Alternate alerting system.
- Needs more product lines to make this a single use tool.
- Alternate alerting system.
- Needs more product lines to make this a single use tool.
What problems is the product solving and how is that benefiting you?
- Stackhawk has greatly reduced our vulnerabilities and keeps our code in check by integrating with the CI pipeline.
- The developers are always alerted for any new vulnerabilities introduced.
- The developers are always alerted for any new vulnerabilities introduced.
StackHawk is the best security scanner I've used, among about half a dozen
What do you like best about the product?
In no particular order:
I love their UI/UX. It presents issues clearly, where I can easily give them to junior programmers to investigate & fix with nothing more than a link to an issue or a scan. It provides good explanations for the issues it flags, as well as links to blog articles about the issues (sometimes specific to dealing with it in our particular framework). It also has detailed request data, including a cURL command to reproduce the issue, the response body, and highlights "evidence" it found attempting to prove that an issue is not a false positive.
Their PDF reports aren't just a print version of the dashboard, but a well-formatted, good-looking, PDF-specific design that is a good deliverable for clients or just to record our security issues at a particular moment in time. Their dashboard is also easy to grok as well.
I like that unlike other static analyzers that scan code to assess potential vulnerabilities, StackHawk scans your site to actually try to trigger vulnerabilities and produce evidence. Through this method, StackHawk found XSS vulnerabilities and warned about other potential issues that other tools didn't find, and were clearly reproduceable. Also, this method is more confidence inspiring, and has produced much fewer false positives than code analysis. Our company still uses static code analysis, as it is quick & cheap (good for continuous integration), but we now consider StackHawk the definitive tool for programmatic asessment of security vulnerabilities.
I also like their pricing model. The free tier is legitimately useful, the pricing upgrades make sense, and I can just do it all myself. Several competitors offer similar scan products but cost thousands of dollars per year and require talking to an account manager to set up. I did talk to a couple sales reps for other products, and as a non-profit looking to keep costs low, two different sales reps never got back to me about discounted plans (and their free plans were just limited trials). One I never actually tried because the whole product was paywalled, which is fine for bigger clients I assume, but inaccessible to me.
I love their UI/UX. It presents issues clearly, where I can easily give them to junior programmers to investigate & fix with nothing more than a link to an issue or a scan. It provides good explanations for the issues it flags, as well as links to blog articles about the issues (sometimes specific to dealing with it in our particular framework). It also has detailed request data, including a cURL command to reproduce the issue, the response body, and highlights "evidence" it found attempting to prove that an issue is not a false positive.
Their PDF reports aren't just a print version of the dashboard, but a well-formatted, good-looking, PDF-specific design that is a good deliverable for clients or just to record our security issues at a particular moment in time. Their dashboard is also easy to grok as well.
I like that unlike other static analyzers that scan code to assess potential vulnerabilities, StackHawk scans your site to actually try to trigger vulnerabilities and produce evidence. Through this method, StackHawk found XSS vulnerabilities and warned about other potential issues that other tools didn't find, and were clearly reproduceable. Also, this method is more confidence inspiring, and has produced much fewer false positives than code analysis. Our company still uses static code analysis, as it is quick & cheap (good for continuous integration), but we now consider StackHawk the definitive tool for programmatic asessment of security vulnerabilities.
I also like their pricing model. The free tier is legitimately useful, the pricing upgrades make sense, and I can just do it all myself. Several competitors offer similar scan products but cost thousands of dollars per year and require talking to an account manager to set up. I did talk to a couple sales reps for other products, and as a non-profit looking to keep costs low, two different sales reps never got back to me about discounted plans (and their free plans were just limited trials). One I never actually tried because the whole product was paywalled, which is fine for bigger clients I assume, but inaccessible to me.
What do you dislike about the product?
The only downside to StackHawk so far is the time a scan takes. While static code analysis can take just minutes, or even seconds when focusing on the files in a particular changeset, StackHawk's scans take hours to complete and require us to either ramp up our test server capacity or dedicate a developer's machine to the scan. Slow scan time is fine if we're focused on security for a particular assessment or quarterly review, but we can't use it as part of our continuous integration pipeline "out of the box." They do have documentation on reducing scan times by optimizing the routes it looks at, parallelizing certain areas of the site, etc, but we'd have to set up a fair bit of infrastructure to get this working. We might, someday, but it's certainly not as easy as just hooking up a code analyzer to Github.
Also, once you resolve an issue with your site, I couldn't find a way to re-run just that one issue and update the scan report because there isn't (or doesn't seem to be) a central list of issues. Instead, you have a list of scans, and although scans do show previously assigned/accepted/ignored issues as such in new scans, it displays scans as islands of their own. This just means to get a "clean" report we have to run an entirely new scan, which takes time, unless we also spend time optimizing our scan time. So far I've just let it run overnight, which minimizes my time spent, but re-checking just one issue would be nice.
Also, once you resolve an issue with your site, I couldn't find a way to re-run just that one issue and update the scan report because there isn't (or doesn't seem to be) a central list of issues. Instead, you have a list of scans, and although scans do show previously assigned/accepted/ignored issues as such in new scans, it displays scans as islands of their own. This just means to get a "clean" report we have to run an entirely new scan, which takes time, unless we also spend time optimizing our scan time. So far I've just let it run overnight, which minimizes my time spent, but re-checking just one issue would be nice.
What problems is the product solving and how is that benefiting you?
We're checking the attack area of our site for vulnerabilities before a significant feature release. StackHawk has found several real issues other analyzers or security consultancies didn't find, and with a very low signal-to-noise ratio. As mentioned previously, since the issues are presented so clearly, we've been able to assign these issues to be fixed by more junior programmers, which is an added cost benefit.
StackHawk demonstra ser uma ferramenta interessante em pipelines de desenvolvimento seguro
What do you like best about the product?
Gosto da facilidade de embarcar novas aplicações. É fácil e prático, facilitando a experiencia de uso de segurança no ciclo de desenvolvimento de aplicativos. além disso, a aplicação se serve de configurações nativas de desenvolvimento de APIs, através de arquivos OpenAPI.
What do you dislike about the product?
Ainda aparenta ser simplista demais para o nível esperado em ambientes corporativos. Falta um meio de gestão de multiplos projetos, mas acredito que será implementado em releases futuras.
What problems is the product solving and how is that benefiting you?
Estou implementando análise do tipo DAST, usando o tier free, e isso me possíbilita tornar meu ambiente opensource mais seguro. A principal funcionalidade é a automação de testes de segurança direto no pipeline de CI/CD.
A great dynamic company that is promising and a maverick in the world of DAST platforms
What do you like best about the product?
DAST tools have always been crude and traditional in the last decade. StackHawk brings a unique approach to DAST that is truly modern, easy to use and set up, and developer-friendly.
What do you dislike about the product?
There's nothing I dislike about StackHawk specifically, but there's room for improvement on their solution.
What problems is the product solving and how is that benefiting you?
Licensing models from other DAST companies does not provide flexibility and most of the time, cost-prohivitive. StackHawk's pricing are reasonable and allows our business to scale keeping our application security budget sustainable.
Recommendations to others considering the product:
If Shift-Left and DevSecOps is your strategy and goal, StackHawk is the right DAST tool for you
StackHawk for simplified security scans
What do you like best about the product?
StackHawk is very simple to set up and use, whether using the standard method of a Docker image or the new CLI tool. Either can easily be integrated with your choice of CI/CD system to automate the process for each developer's commits. We've found the resulting reports are easy to understand for both developers and management. In particular, we like the ability to replicate each test with the cURL command provided in the report. Support and sales have gone above and beyond in getting us set up.
What do you dislike about the product?
We haven't yet found anything we dislike about StackHawk. For our small business, it's been an ideal fit so far.
What problems is the product solving and how is that benefiting you?
We needed a quick security scan solution to help win a new account. StackHawk allowed us to close the deal while providing us with a solid on-going solution to find and fix security issues much earlier in our development cycle.
Recommendations to others considering the product:
I would recommend signing up for a free trial and testing it for yourself. StackHawk was simple to setup so it won't take much time to discover if it will meet your needs.
Solid CICD integration with a bright future
What do you like best about the product?
Slick CICD integration for a known scanning tool
What do you dislike about the product?
The core scanner is zap, without additional checks or enhancements.
What problems is the product solving and how is that benefiting you?
Automating our CICD pipeline for DAST with decent jira integration
The Stackhawk Experience was impressive from the beginning to fully integrated into our CI/CD
What do you like best about the product?
The Stackhawk documentation was easy & helpful for our development team to integrate into our CI/CD. The Stackhawk team was very responsive, helpful & knowledgeable.
What do you dislike about the product?
No complaints. The product is producing findings with helpful remediation tips and recommendations.
What problems is the product solving and how is that benefiting you?
We've used Stackhawk to handle DAST scanning of our web hosted product and have already eliminated all High & Med findings, and now have real-time awareness to DAST security in our CI/CD pipeline to keep our product secure.
Good Tool for Appsec
What do you like best about the product?
Good tool for Dynamic App Scanning. Can greatly help with the Vulnerablity identification and remediation process
What do you dislike about the product?
Does not seem to be a way to scan multipage/multisite applications or Mobile.
What problems is the product solving and how is that benefiting you?
We are not currently implementing the product fully, just demo and poc phase.
The Most Essential DevSecOps DAST Tool Available Today
What do you like best about the product?
Many people aren't familiar with application security testing, development security operations, or the dynamic tools that can be used to test and monitor products. I love how StackHawk allows a single point of context to maintain a developer account for free. At the same time, a single pro user is (at the time of writing this) roughly $35/month, around the same as a typical gym membership. Application security is critically important, and StackHawk makes it available to nearly everyone.
What do you dislike about the product?
There's nothing specifically to dliike, though I'd love to have more real time visual analytics formatted for mobile access.
What problems is the product solving and how is that benefiting you?
StackHawk allow for all sorts of ongoing testing of my company's mobile apps. We do penetration testing, MFA testing, password algorthm, E2EE, load, flow, API testing, and more on iOS, android, our PWAs, dashboards, and even throughout our AWS cloud - with which it integrates smoothly and seamlessly.
Recommendations to others considering the product:
Leverage the trial period to install and implement things early and with little to no risk or cost. Establish performance baselines, and then scan continuously as you deploy, roll out and release products.
showing 21 - 30