More
Featured

Why Doesn’t Your CI Pipeline Have Security Bug Testing?

Ryan Severns  
Co-Founder & COO
  at  StackHawk
1,058
3
StackHawk
This is not security for security people. Application security for engineering teams.
View Profile

Software Engineering has Changed with CI/CD

Continuous integration and continuous delivery has changed software engineering. Teams are shipping small change sets often and automation has made the life of an engineer a lot simpler. Automation throughout the CI/CD pipeline has touched nearly everything, with integrations and tooling for linting, unit testing, integration testing, deployment, and more.

Application security, however, has been left behind.

While there are a few exceptions, most application security products are dated technology built for an era before DevOps, CI/CD, and modern software engineering products. These products are also built for the security teams instead of the developers who are close to the code. This is obviously a problem.

Application Security: Super Important and Super Broken

It goes without saying that building secure applications is imperative for any engineering team today. Without baking security into your application, your company opens itself up to leaking sensitive data, degrading user experience, or allowing account takeover. As most companies in the world shift to be software-first, application security will only become increasingly important.

While clearly vitally important, current AppSec models are broken. The traditional approaches to application security prioritize training over tooling and finding over fixing. InfoSec teams are holding onto dated practices of periodic, point in time scans of production. Vulnerabilities are kicked back to the engineering team in long lists or large Jira backlogs, which then sit deprioritized over feature development. If the work is pulled into a sprint, it requires the developer to jump back into code that they likely haven’t touched for weeks or months.

Adding to this problem is the fact that the majority of the security products on the market are legacy enterprise tools. They are built for a different era of software development and continue to serve the technology dinosaurs that have yet to adopt modern DevOps workflow. Features are built for security teams and favor long approval chains and reports rather than enabling the developers who will fix the security bugs to get to the job of fixing found issues.

A shift is needed in both culture, workflows, and tooling.

There is a better way 👇.

The AppSec Future: Application Security Tests in Every CI/CD Build

While shifting security left has been a trade show booth tagline for years now, we are at the advent of that truly becoming a reality. In the same way that many engineers now define and monitor their own infrastructure, developers are learning that they can take security testing into their own hands. Proper tooling and pipeline automation will drive this shift.

So what does application security tests in every build look like?

You’ll want to instrument two types of security testing, commonly known as SAST and DAST. SAST (Static Analysis Security Testing) scans your code base and its associated dependencies for known vulnerabilities. DAST (Dynamic Analysis Security Testing) runs tests against a running version of your application to find externally exploitable security bugs. Both are important, and both can be added to your CI builds.

Then, on every merge, your pipeline can run security testing. When a developer adds a security bug, they will be alerted and can quickly fix. Tests should be instrumented later in the pipeline as well to ensure that new bugs are not introduced – think of it as security integration testing. When a bug is found, fixes can be tested locally before kicking off a new build.

A New Breed of AppSec Tooling

To add application security testing to the CI/CD pipeline, the right tools are needed. As mentioned, the traditional security products on the market are heavy on enterprise sales and light on features for the modern dev shop. Luckily, new tools are hitting the market that are built for developer-first security.

As you look at potential tools, here are a few things to consider:

  • How is The App Scanned: Are your DAST scans scheduled against a production environment, or does the tool assume ephemeral environments and pipeline runs? Does the SAST tool want you to zip up your code and ship it off to them, or does it integrate deeply into your source code repository?
  • Support for Modern Applications: Does the tool support modern development paradigms, such as single page applications, GraphQL, or JAM stack applications? Can it work with OpenAPI spec, or does it simply rely on an HTML spider? Does it simply scan publicly available sites, or can it work with multiple forms of authentication?
  • Noise Management: Traditional security tools are noisy with false positives and assume that fixing all findings is a priority over all else. Does the tool support quieting of noise to ensure that your workflows are not blown up by the addition of your security tool?

Getting Started

Adding application security tests to your CI/CD pipeline can feel like a daunting task, but it is actually easy to get started. Here’s how:

  • Pick Your Tools: Select SAST and DAST tools that you can easily try out and add to your pipeline. Make sure they hit on the new breed criteria above. (Hint: if they don’t let you test without first seeing a demo, they probably aren’t built for developers). I’m a little biased, but StackHawk is really the only DAST tool built for developers. And here at StackHawk, we are big fans of Snyk for SAST.
  • Instrument in Pipeline: After configuring your tooling, add it to your CI/CD pipeline. We recommend starting with non-blocking runs at first while you triage any existing backlog of security issues. Now every build will include application security tests. For more examples of configuring pipeline instrumentation with StackHawk, check out our docs or this blog on instrumenting StackHawk with CircleCI.
  • Roll Out Across Engineering: Application security works best when distributed, with engineers fixing their own security bugs as they build software. This happens with a cultural shift first, but a cultural shift happens a lot easier when the right tooling is in place. One thing that helps drive the culture shift is visibility. At StackHawk, we are big fans of pushing the StackHawk results from a pipeline run into Slack. Another thing that helps the culture shift is putting the fix of new issues in the hands of each engineer, while managing the fix of the existing backlog through a different workstream.

At StackHawk, we’re obviously super passionate about this topic. If you want to talk shop, get technical support, or learn more about how we can help here, shoot us a note at hello@stackhawk.com.

StackHawk
This is not security for security people. Application security for engineering teams.
View Profile
Tools mentioned in article
StackHawk StackHawk
Snyk Snyk
GraphQL GraphQL
CircleCI CircleCI
Jira Jira
Open jobs at StackHawk
Front End Engineer
- United States
StackHawk helps software developers find and fix security vulnerabilities before they deploy code to production. Every modern software development organization has shifted from quarterly releases to daily or hourly releases, incorporating Continuous Integration and Continuous Delivery (CI/CD). In the modern world of FinTech, HealthTech, cloud analytics and AI platforms, customers are entrusting their most critical data to software providers. Periodic manual security testing by an external team is simply too risky. Because of this, modern software development organizations are extending CI/CD to encompass Continuous Application and API Security Testing. This way, security can “shift left,” meaning vulnerabilities can be detected while the developer is actively working on the code. StackHawk recently announced its Series B fundraise, and with this funding, will continue to invest in maintaining the market-leading position in developer-first API security testing, and support rapid customer and employee growth. Application and API security is an exciting market, where more than 43% of global decision makers are looking to implement dynamic application security testing during software development, and where companies will spend more than $3B in 2022 on application security testing products - which represents a massive opportunity for StackHawk. StackHawk is building out a team of leaders and team members that will capitalize on market pull, and enable growth-phase scale of the business. Are you a skilled front-end engineer, looking for an opportunity to build awesome tools for developers? Can you get excited about revolutionizing application security? Are you willing to tolerate ridiculous bird puns? If you answered “yes!” to all of these questions, you should keep reading about an exciting opportunity at StackHawk. StackHawk’s Engineering team is growing, and we’re looking for a talented Front End Engineer to join our team and help develop our core product. In this role, you will work directly with members of our skilled Product Development team to build front-end product features on our innovative tech stack. You’ll be a key member of a growing team that is revolutionizing application security by reducing complexity, providing actionable recommendations, and empowering software engineers to take control of their application security. This position will directly contribute to StackHawk’s goal of identifying and remediating app vulnerabilities in the CI/CD pipeline. If you enjoy the challenge of building compelling, easy-to-use functionality for developers on a modern stack, this is the role for you. <li>Work collaboratively with engineers, UX designers, product managers and other stakeholders</li><li>Build web-based product features using technologies such as React, Redux, TypeScript, Storybook, Jekyll, Gatsby, Contentful, RESTful APIs, Kotlin and Kubernetes</li><li>Build front-end interfaces in a modern, cloud-based microservices architecture</li><li>Build automated tests to ensure high quality</li><li>Help set standards and coding practices for web application development</li><li>Impress your friends with your newfound knowledge of application security concepts, such as Remote OS Command Injection</li><li>We're an agile, fast growing company and this job description isn't meant to be a complete list of your qualifications or all the things you'll do</li> <li>3-5+ years of experience in SaaS front-end or web application development</li><li>Expert in Javascript and/or Typescript</li><li>Proficient in modern UI frameworks like Angular, React, VueJS, etc. </li><li>Proficient in modern web app technologies HTML5 and CSS and its preprocessors Sass and Less</li><li>Experience with UI testing frameworks and technologies such as Jest, React Testing Library, Mocha, Jasmine, Selenium, Cypress, Playwright, etc. </li><li>Experience using and updating REST APIs</li><li>Experience building both desktop and mobile-friendly web interfaces</li><li>Obsessive about automation</li><li>Interest in growing your leadership skills as opportunities arise</li><li>Excellent communicator. Has experience presenting technical concepts and demos to a non-technical audience. </li><li>Experience partnering with product managers and designers, and working on a collaborative, cross-functional agile team.</li><li>Persuasive - Bring others to their point of view using logic, data, and emotion. Have a formal process and framework by which to make qualitative and quantitative points, not just using emotional appeals</li><li>Accountable - Being willing to answer for the outcomes resulting from their own choices, behaviors, and actions. Take ownership of situations that they're involved in</li><li>Self Motivated - Motivated to do or achieve something because of one's own enthusiasm or interest, without needing pressure from others</li><li>Focused - achieve what they set out to do before launching new initiatives. Complete company-linked goals and tasks, not simply be busy and active</li><li>Collaborative - A keen ability to support cross-functional projects and decisions. Gets energized from working within a team and cross-functionally to achieve the company's goals. Knows that security is a supporting function of any business and the difference between binary security and scale security</li> <li>Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together.</li><li>Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.</li><li>Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.</li><li>Fun Team and Perks: We do great work and have fun doing it! We take care of our employees… We’ll contribute to your WFH setup and hook you up with occasional at-home perks. Plus, work with a team that loves to have fun while doing our work!</li><li>Place Where Your Work Matters and You Grow: As a Series B company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.</li>
Front End Engineer - WWW
- United States
StackHawk helps software developers find and fix security vulnerabilities before they deploy code to production. Every modern software development organization has shifted from quarterly releases to daily or hourly releases, incorporating Continuous Integration and Continuous Delivery (CI/CD). In the modern world of FinTech, HealthTech, cloud analytics and AI platforms, customers are entrusting their most critical data to software providers. Periodic manual security testing by an external team is simply too risky. Because of this, modern software development organizations are extending CI/CD to encompass Continuous Application and API Security Testing. This way, security can “shift left,” meaning vulnerabilities can be detected while the developer is actively working on the code. StackHawk recently announced its Series B fundraise, and with this funding, will continue to invest in maintaining the market-leading position in developer-first API security testing, and support rapid customer and employee growth. Application and API security is an exciting market, where more than 43% of global decision makers are looking to implement dynamic application security testing during software development, and where companies will spend more than $3B in 2022 on application security testing products - which represents a massive opportunity for StackHawk. StackHawk is building out a team of leaders and team members that will capitalize on market pull, and enable growth-phase scale of the business. Are you a skilled front-end engineer, who is collaborative and talented? Can you get excited about contributing to revolutionizing application security? Are you willing to tolerate ridiculous bird puns? If you answered “yes!” to all of these questions, you should keep reading about an exciting opportunity at StackHawk. StackHawk is growing, and we’re looking for a talented Front End Engineer to join our team and help support and enhance our corporate website. In this role, you will work closely with our talented Product Development team as well as members of our Marketing team to build front-end components and enable our content creators to enhance and optimize our corporate website. Our corporate website is built for results -  built with Contentful CMS, Gatsby.JS and React, it is not your average static website. You’ll be the key person who will support this important communication and lead-generation tool, which is powering the growth of our company. <li>Work collaboratively with engineers, UX designers, marketers and other stakeholders</li><li>Build beautiful and compelling web UIs using technologies such as React, Redux, TypeScript, Storybook, Gatsby, and Contentful</li><li>Build front-end interfaces in a modern, cloud-based architecture</li><li>Continue to build self-service features for content creators</li><li>Optimize the site for SEO</li><li>Build automated tests to ensure high quality</li><li>Collaborate with our talented engineering team</li> <li>2+ years of experience in SaaS front-end or web application development</li><li>Expert in Javascript and/or Typescript</li><li>Expert at building UIs with the React framework. Other frameworks like Angular, VueJS are nice to have.</li><li>Proficient in modern web app technologies HTML5 and CSS and its preprocessors Sass and Less</li><li>Experience with CSS frameworks such as Bootstrap, preferred</li><li>Experience with content management platforms such as Contentful, preferred</li><li>Experience with static website frameworks such as <a href="http://Gatsby.JS">Gatsby.JS</a>, preferred</li><li>Some experience with UI testing frameworks and technologies such as Jest, React Testing Library, Mocha, Jasmine, Selenium, Cypress, Playwright, etc.</li><li>Experience building both desktop and mobile-friendly web interfaces</li><li>Exposure to delivering content over CDNs, such as CloudFront</li><li>Obsessive about delivering exceptionally beautiful UIs and working closely with designers</li><li>Excellent communicator, with experience presenting technical concepts and demos to a non-technical audience.</li><li>Experience partnering with product managers and designers, and working on a collaborative, cross-functional agile team</li><li>Persuasive - Bring others to their point of view using logic, data, and emotion. Have a formal process and framework by which to make qualitative and quantitative points, not just using emotional appeals</li><li>Accountable - Being willing to answer for the outcomes resulting from their own choices, behaviors, and actions. Take ownership of situations that they're involved in</li><li>Self Motivated - Motivated to do or achieve something because of one's own enthusiasm or interest, without needing pressure from others</li><li>Focused - Achieve what they set out to do before launching new initiatives. Complete company-linked goals and tasks, not simply to be busy and active</li><li>Collaborative - A keen ability to support cross-functional projects and decisions. Gets energized from working within a team and cross-functionally to achieve the company's goals. Knows that security is a supporting function of any business and the difference between binary security and scale security</li> <li><b>Competitive Compensation:</b> Earn a competitive salary and get an equity stake in the company that we are building together.&nbsp;</li><li><b>Solid Benefits: </b>Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.</li><li><b>Time to Recharge Encouraged:</b> Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.</li><li><b>Fun Team and Perks: </b>We do great work and have fun doing it! We take care of our employees… We’ll contribute to your WFH setup and hook you up with occasional at-home perks. Plus, work with a team that loves to have fun while doing our work!&nbsp;</li><li><b>Place Where Your Work Matters and You Grow:</b> As a Series B company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.</li>
Lead Technical Support Engineer
Denver, CO
StackHawk helps software developers find and fix security vulnerabilities before they deploy code to production. Every modern software development organization has shifted from quarterly releases to daily or hourly releases, incorporating Continuous Integration and Continuous Delivery (CI/CD). In the modern world of FinTech, HealthTech, cloud analytics and AI platforms, customers are entrusting their most critical data to software providers. Periodic manual security testing by an external team is simply too risky. Because of this, modern software development organizations are extending CI/CD to encompass Continuous Application and API Security Testing. This way, security can “shift left,” meaning vulnerabilities can be detected while the developer is actively working on the code. StackHawk has completed its Series B fundraise, and with this funding, will continue to invest in maintaining the market-leading position in developer-first API security testing, and support rapid customer and employee growth. Application and API security is an exciting market, where more than 43% of global decision makers are looking to implement dynamic application security testing during software development, and where companies will spend more than $3B in 2023 on application security testing products - which represents a massive opportunity for StackHawk. StackHawk is building out a team of leaders and team members that will capitalize on market pull, and enable growth-phase scale of the business. The Role Are you a passionate technical support professional, looking for your next career adventure and an opportunity to lead and define how technical support is done at a rapidly growing company? If so, read on. StackHawk is growing, and is looking for a Lead Technical Support Engineer to help our customers and prospects solve issues they might encounter configuring or using our application security scanning product. This role will provide a first-line of support for customers and prospects, and will enable our organization to continue to scale. As a dedicated technical support person, you will be expected help refine how we do technical support at StackHawk as we continue to grow. Evaluating and updating processes and tools, improving documentation and operationalizing the support process. You will get the opportunity to learn all about the inner workings of application development, DevOps, CI/CD, APIs and Application Security. This is an important foundational role for the company, and one that has lots of career growth potential as the company grows!  What You’ll Do Respond to technical support requests from customers and prospects Assist customers and prospects configuring and using the StackHawk product and navigate a breadth of different technology configurations, environments and application architectures Triage and troubleshoot technical issues to help identify the root cause and advise customers on how to resolve issues Work closely with Product and Engineering teams to better understand the product, provide feedback and suggestions for possible product enhancements, and escalate issues and bugs when necessary Work closely with Sales and Customer Success teams to enable customers and prospects to be successful with the StackHawk product Review and continually improve support documentation Provide an excellent level of customer service Establish a technical support process, defining how it should operate, the tools and processes it should use, important success metrics, and how it will interact with other parts of the company About You You are a great Tech Support individual contributor or manager looking for that next step up and are excited about getting into the weeds of supporting StackHawk users You have a passion for providing excellent customer service and support Have excellent written and verbal communication skills Have a high degree of empathy and a desire to help people solve problems Strong troubleshooting skills, which require curiosity, persistence, patience and logical reasoning ability Demonstrated technical skills - such as familiar working in a Unix/Linux command line, familiarity with Docker, basics of how web applications work, shell scripting, familiarity with API protocols such as REST, SOAP or GraphQL Ability and interest to learn complex technical concepts, retain and apply learnings Strong organizational skills Experience establishing and improving a process where none may exist Can operate in a self-directed manner Thrives in a fast-moving startup environment The Goods Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together.  Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K. Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed. Fun Team and Perks: We do great work and have fun doing it! Get a great at home equipment setup, a fun team to collaborate with, and other great perks. Place Where Your Work Matters and You Grow: As a seed stage company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career. StackHawk is proud to be an equal opportunity employer. We are committed to equal opportunity regardless of race, color, ancestry, religion, gender, gender identity, genetic information, parental or pregnancy status, national origin, sexual orientation, age, citizenship, marital status, disability, or Veteran status. Salary range for this role is $80k to $130k, or commensurate with experience. <div><br></div> <div><br></div>
View all jobs
Verified by
Ryan Severns
Co-Founder & COO
You may also like
June 29, 2022 at 04:48AM
Optimizing Pinterest’s Data Ingestion Stack: Findings and Learnings
By  Pinterest
2
1200
June 01, 2022 at 05:03PM
Improving Distributed Caching Performance and Efficiency at Pinterest
By  Pinterest
5
853
March 30, 2022 at 05:02PM
99% to 99.9% SLO: High Performance Kubernetes Control Plane at Pinterest
By  Pinterest
2
1456
March 09, 2022 at 06:41AM
3 Innovations While Unifying Pinterest’s Key-Value Storage
By  Pinterest
3
901