My main use case for StackHawk is primarily as a PCI requirement for DAST.

As a quick specific example of how I use StackHawk for that PCI requirement, it is one of the controls that sits alongside the requirement to have SAST. I deployed StackHawk and Snyk because those two products were easily integrated and therefore providing a unified view of vulnerabilities that existed either during the CI/CD process or running live.

The best features StackHawk offers are, most importantly, its ability to report any issues that may exist with code running live. The integration with Snyk provides a more holistic, complete picture of issues in the entire life cycle of the web application.

An example of how getting a holistic picture of issues across the life cycle has helped my team is related to both StackHawk and Snyk because they were basically joined at the hip. Prior to the PCI requirements, there was not a lot of interest in automating the analysis of code that was being developed. Code was being scrubbed for vulnerabilities by humans, which is frankly impractical. You cannot go through either a few thousand or a few million lines of code and expect a human to find vulnerabilities because they are biased. That would be asking a lot based on the sheer volume of data and expecting people to identify vulnerabilities is completely impractical.

Outside of getting StackHawk connected to websites, which was fairly painless, I have no additional features that stand out to me besides the integration and reporting. StackHawk has positively impacted my organization by introducing an automated process that did not exist previously, and it helped the company achieve PCI certification.

I cannot think of anything I would add to StackHawk, with the possible exception of adding any additional code bases that might be out there. I am thinking about a situation where a company might be in mergers and acquisitions mode and they onboard a company that has developed an application in a code base that is not covered by StackHawk, which would introduce some inefficiency and possible compliance difficulties. It would be great if StackHawk were continuously adding more and more languages and integrations.

On a scale of one to ten, I would rate StackHawk an eight, only because I wish the product was a little less expensive. It also is running into direct competition with Snyk, as they did an acquisition of another DAST company, and they should be sensitive to that and possibly offer a discount for current users because it would be under consideration to move to Snyk and reduce complexity even if it was by a little bit.

I have been using StackHawk for a little over a year.

The advice I would give to others looking into using StackHawk is that the integration with Snyk was impressive. You would also consider just using Snyk and the DAST that they onboarded over the past year.

StackHawk is deployed in my organization in the public cloud using the configuration on their site.

I use AWS as my cloud provider.

I rate this product an eight out of ten.