Why Doesn’t Your CI Pipeline Have Security Bug Testing?

848
StackHawk
This is not security for security people. Application security for engineering teams.

Software Engineering has Changed with CI/CD

Continuous integration and continuous delivery has changed software engineering. Teams are shipping small change sets often and automation has made the life of an engineer a lot simpler. Automation throughout the CI/CD pipeline has touched nearly everything, with integrations and tooling for linting, unit testing, integration testing, deployment, and more.

Application security, however, has been left behind.

While there are a few exceptions, most application security products are dated technology built for an era before DevOps, CI/CD, and modern software engineering products. These products are also built for the security teams instead of the developers who are close to the code. This is obviously a problem.

Application Security: Super Important and Super Broken

It goes without saying that building secure applications is imperative for any engineering team today. Without baking security into your application, your company opens itself up to leaking sensitive data, degrading user experience, or allowing account takeover. As most companies in the world shift to be software-first, application security will only become increasingly important.

While clearly vitally important, current AppSec models are broken. The traditional approaches to application security prioritize training over tooling and finding over fixing. InfoSec teams are holding onto dated practices of periodic, point in time scans of production. Vulnerabilities are kicked back to the engineering team in long lists or large Jira backlogs, which then sit deprioritized over feature development. If the work is pulled into a sprint, it requires the developer to jump back into code that they likely haven’t touched for weeks or months.

Adding to this problem is the fact that the majority of the security products on the market are legacy enterprise tools. They are built for a different era of software development and continue to serve the technology dinosaurs that have yet to adopt modern DevOps workflow. Features are built for security teams and favor long approval chains and reports rather than enabling the developers who will fix the security bugs to get to the job of fixing found issues.

A shift is needed in both culture, workflows, and tooling.

There is a better way 👇.

The AppSec Future: Application Security Tests in Every CI/CD Build

While shifting security left has been a trade show booth tagline for years now, we are at the advent of that truly becoming a reality. In the same way that many engineers now define and monitor their own infrastructure, developers are learning that they can take security testing into their own hands. Proper tooling and pipeline automation will drive this shift.

So what does application security tests in every build look like?

You’ll want to instrument two types of security testing, commonly known as SAST and DAST. SAST (Static Analysis Security Testing) scans your code base and its associated dependencies for known vulnerabilities. DAST (Dynamic Analysis Security Testing) runs tests against a running version of your application to find externally exploitable security bugs. Both are important, and both can be added to your CI builds.

Then, on every merge, your pipeline can run security testing. When a developer adds a security bug, they will be alerted and can quickly fix. Tests should be instrumented later in the pipeline as well to ensure that new bugs are not introduced – think of it as security integration testing. When a bug is found, fixes can be tested locally before kicking off a new build.

A New Breed of AppSec Tooling

To add application security testing to the CI/CD pipeline, the right tools are needed. As mentioned, the traditional security products on the market are heavy on enterprise sales and light on features for the modern dev shop. Luckily, new tools are hitting the market that are built for developer-first security.

As you look at potential tools, here are a few things to consider:

  • How is The App Scanned: Are your DAST scans scheduled against a production environment, or does the tool assume ephemeral environments and pipeline runs? Does the SAST tool want you to zip up your code and ship it off to them, or does it integrate deeply into your source code repository?
  • Support for Modern Applications: Does the tool support modern development paradigms, such as single page applications, GraphQL, or JAM stack applications? Can it work with OpenAPI spec, or does it simply rely on an HTML spider? Does it simply scan publicly available sites, or can it work with multiple forms of authentication?
  • Noise Management: Traditional security tools are noisy with false positives and assume that fixing all findings is a priority over all else. Does the tool support quieting of noise to ensure that your workflows are not blown up by the addition of your security tool?

Getting Started

Adding application security tests to your CI/CD pipeline can feel like a daunting task, but it is actually easy to get started. Here’s how:

  • Pick Your Tools: Select SAST and DAST tools that you can easily try out and add to your pipeline. Make sure they hit on the new breed criteria above. (Hint: if they don’t let you test without first seeing a demo, they probably aren’t built for developers). I’m a little biased, but StackHawk is really the only DAST tool built for developers. And here at StackHawk, we are big fans of Snyk for SAST.
  • Instrument in Pipeline: After configuring your tooling, add it to your CI/CD pipeline. We recommend starting with non-blocking runs at first while you triage any existing backlog of security issues. Now every build will include application security tests. For more examples of configuring pipeline instrumentation with StackHawk, check out our docs or this blog on instrumenting StackHawk with CircleCI.
  • Roll Out Across Engineering: Application security works best when distributed, with engineers fixing their own security bugs as they build software. This happens with a cultural shift first, but a cultural shift happens a lot easier when the right tooling is in place. One thing that helps drive the culture shift is visibility. At StackHawk, we are big fans of pushing the StackHawk results from a pipeline run into Slack. Another thing that helps the culture shift is putting the fix of new issues in the hands of each engineer, while managing the fix of the existing backlog through a different workstream.

At StackHawk, we’re obviously super passionate about this topic. If you want to talk shop, get technical support, or learn more about how we can help here, shoot us a note at hello@stackhawk.com.

StackHawk
This is not security for security people. Application security for engineering teams.
Tools mentioned in article
Open jobs at StackHawk
Developer Advocate
(US)

The Role

Application security is shifting left, with software engineering teams taking ownership over the security of their applications. StackHawk is an application security testing company built for software developers and automation in CI/CD. We are hiring a developer advocate who will help evangelize the message of developer-centric application security testing throughout developer communities.

 

You will engage with developer communities in a variety of ways, including online discussion, content creation, and speaking at events. You should be comfortable flexing between the high level reasons why and the nitty gritty technical details of how it all works.

This is a rare opportunity to be the public face of a fast growing developer tool that is shifting how engineering teams are delivering secure applications.

What You'll Do

  • Carry the Application Security Testing Torch. You will be a leading voice on the new model of application security testing (automated in CI/CD and built for developers). You’ll be advocating for this, sharing examples, and amplifying thought leaders in the community.
  • Engage in Community Discussion. Be a part of the conversation where it is happening, and help create conversation in relevant communities. Twitter, online forums, Slack channels, and more. Get out there to join and create conversation.
  • Speak at Events. Become part of the speaker circuit for developer, DevOps, and security events. Build compelling talks and deliver them at events around the world.
  • Build Content. Build blogs, videos, webinars, docs, sample applications, and more. Share why application security is shifting left and how to make it happen. These should vary from high level to technical details.
  • Share Learnings into StackHawk. Bring your learnings from the community back into StackHawk to help shape where the product and company are headed.

About You

  • 5+ years as a kick-ass developer, DevOps, or automated test engineer
  • Experience with or ability to learn both StackHawk and Zed-Attack-Proxy (ZAP) technology
  • Experience in or ability to learn CI/CD security test automation
  • Demonstrated existing involvement in developer communities
  • Experience creating content and speaking at events
  • Belief in the need for application security to shift left
  • Self-starter who can roll up your sleeves and make it happen
  • Willing to travel as needed for speaking at events

The Goods

  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. 
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed. 
  • Fun Team and Perks: We do great work and have fun doing it! Get a great at home equipment setup, a fun team to collaborate with, and other great perks.
  • Place Where Your Work Matters and You Grow: As a seed stage company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.

StackHawk is proud to be an equal opportunity employer. We are committed to equal opportunity regardless of race, color, ancestry, religion, gender, gender identity, genetic information, parental or pregnancy status, national origin, sexual orientation, age, citizenship, marital status, disability, or Veteran status.

Salary range for this role is $90K to $170K, or commensurate with experience.

Solutions Architect
Denver (Open to )

StackHawk is an application security product that is taking a new approach to the market. There is a graveyard of security products that have been sold to the C-Suite and fell flat at implementation. StackHawk is different… we’ve built a product for developers that will help them take ownership of application security. StackHawk is the only product on the market that truly allows developers to run dynamic security tests against their applications before they hit production & protect their APIs from vulnerabilities. With this in mind, we are hiring a Solutions Architect to partner with the sales team, enable them to engage in technical discussions, and be the primary technical relationship owner with prospects & customers. You will assist folks in configuring the StackHawk scanning engine and instrumenting application security testing in their CI/CD pipeline. This role is key to the success of the conversion of prospects to customers, helping them quickly become successful with the scanning engine, and leveraging the StackHawk platform for triaging and fixing security bugs. 

As the Solutions Architect for a rapidly growing DevOps + AppSec company, you must be a strongly motivated self-starter that can work cross-functionally with the rest of the Founder, Engineering, and support teams to drive new adoption of the StackHawk product.

What You’ll Do:

  • Be the technical product expert with the ability and coach, train, and give technical product demonstrations to customers, prospects, and partners
  • Discover customer use cases and their ideal solution using StackHawk's sales methodology
  • Own and drive the technical aspects of the customer journey by providing demonstrations, managing proof of concepts,  and sharing best practices
  • Track customer adoption, engagement, and expansion opportunities to prevent churn and ensure high renewal rates
  • Collaborate with engineering / devops / appsec teams to instrument StackHawk in customer CI/CD pipelines
  • Shape new product decisions and feature enhancements by conveying customers needs and requests to Product and Engineering teams
  • Ability to travel (around 25% estimated) throughout sales territory for meetings with prospects, partners, and events (you know, once this COVID thing is under control)

 About You:

  • 3+ years of experience in a customer-facing role. Background in sales engineering preferred. 
  • You have excellent written and oral business communication skills and are comfortable presenting complex technical subjects to both highly technical and business audiences
  • Ability to create technical content suitable for a variety of audiences and formats
  • Love for learning new technologies and a genuine curiosity about how things work 
  • Experience with at least one scripting language. Bash, Python, JavaScript, PHP
  • Familiarity and experience with some or all of the following technologies: RestAPI, GraphQL, Server Side HTML applications, OAuth/OIDC, Docker, JSON, and YAML 
  • Have a good understanding of the developer and DevOps ecosystems and practices
  • Ability and experience in troubleshooting software products
  • You are creative, out of the box thinker with a passion for coming up with novel solutions to complex problems
  • Proven track record of success, driving revenue growth against quota
  • You’re data-driven, process-oriented, and understand how to measure success 
  • You love working in teams and your teams love working with you
  • You’re comfortable and thrive working in the rapid, unpredictable nature of a tech startup

The Goods:

  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. 
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.
  • Fun Team and Perks: We do great work and have fun doing it! We take care of our employees… We’ll contribute to your WFH setup and hook you up with occasional at-home perks. Plus, work with a team that loves to have fun while doing our work! 
  • Place Where Your Work Matters and You Grow: As a Series A company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.

StackHawk is proud to be an equal opportunity employer. We are committed to equal opportunity regardless of race, color, ancestry, religion, gender, gender identity, genetic information, parental or pregnancy status, national origin, sexual orientation, age, citizenship, marital status, disability, or veteran status.

Salary range for this role is $120K to $200K, or commensurate with experience.

Java Engineer - Scanning Technology
(US)

The Role:
StackHawk’s Engineering team is seeking an experienced Java software engineer to work on StackHawk scanner tech as well as contribute to the ZAP OpenSource project. In this role, you will work directly with the Product teams to design and implement core DAST scanner features as well as deliver functionality and improvements to the open source parent project. You’ll be a key member of a small growing team that will revolutionize application security by reducing complexity, providing actionable recommendations, and empowering software engineers to take control of their application security. If you enjoy the challenge of designing and creating all new product features and contributing to OSS, this is the role for you.

 

What You’ll Do:

  • Work with stakeholders, making key technology decisions.
  • Help design and deliver improvements in both functionality and speed to the core StackHawk scanning product.
  • Contribute to support OSS ZAP projects, by implementing and improving core and add-on features to ZAP.
  • We're an agile, fast growing company and this job description isn't meant to be a complete list of your qualifications or all the things you'll do.

 

About You:

  • 5+ years of experience in SaaS software development and design.
  • Happy to have public domain feedback and eyes on your code.
  • Proficient in either Java/Koltin/JVM. 
  • Experience with Maven/Gradle project management and build tools.
  • Proficient in REST API design principles and tooling such as Swagger and Postman.
  • Experience with backend web application frameworks (Spring, Play, Express.js, etc...)
  • Experience with automated build and deployment tools such as Jenkins, TravisCI, Maven, Gradle, etc..
  • Obsessive about automation.
  • Persuasive - Bring others to their point of view using logic, data, and emotion. Have a formal process and framework by which to make qualitative and quantitative points, not just using emotional appeals
  • Accountable - Being willing to answer for the outcomes resulting from their own choices, behaviors, and actions. Take ownership of situations that you're involved in
  • Self Motivated - Motivated to do or achieve something because of one's own enthusiasm or interest, without needing pressure from others
  • Focused - Achieve what they set out to do before launching new initiatives. Complete company-linked goals and tasks, not simply to be busy and active
  • Collaborative - A keen ability to support cross-functional projects and decisions. Gets energized from working within a team and cross-functionally to achieve the company's goals. Knows that security is a supporting function of any business and the difference between binary security and scale security
Head of Engineering
(US)

 

StackHawk’s leadership team is seeking an Engineering leader to develop and grow the StackHawk engineering function. This role is all about bringing your stamp to StackHawk, helping our engineering team scale and maintain high delivery velocity as the team grows. StackHawk is a Product lead development organization and as such you’ll work closely with the product team to help define the roadmap and deliverables to customers all while ensuring quality and uptime of the StackHawk product suite. You’ll be a key leader of a growing team that will revolutionize application security by reducing complexity, providing actionable recommendations, and empowering software engineers to take control of their application security. This early position will be instrumental in shaping engineering culture and promoting StackHawk’s goal of identifying and remediating app vulnerabilities in the CI/CD pipeline. You’ll be the decision maker for technology and process direction. This position will also have board-facing exposure reporting on the progress and future of StackHawk Engineering.  If you enjoy the challenge of designing and creating all new infrastructure and product features, this is the role for you.

 

What You’ll Do:

  • Represent the Engineering function at an executive level
  • Leading the Engineering team through management and mentorship
  • Leading recruitment activities for the Engineering team
  • Collaborate with the Product organization on roadmap execution and predictable delivery
  • Developing standards and procedures to ensure quality and uptime standards are met and are consistent
  • Preparing and optimizing budgets
  • Work with stakeholders, making key technology decisions
  • Help set standards and coding practices for the engineering teams.
  • Design and be accountable for and report on success KPIs for the Engineering organization
  • We're an agile, fast growing company and this job description isn't meant to be a complete list of your qualifications or all the things you'll do.

 

About You:

  • 5+ years of leading Engineering teams preferably in a SaaS environment
  • 5+ years of coaching and organizing engineering, quality, and DevOps teams 
  • Experience with cross-functional delivery teams and scaled agile practices
  • Strong organizational leadership skills
  • Experience in organizing and leading cross-functional teams in scaled agile fashion
  • Extensive experience in working with stakeholders to create hiring strategies to recruit, grow and retain quality teams
  • Strong knowledge of data structures and SaaS platform delivery models
  • Obsessive about automation.
  • Persuasive - Bring others to their point of view using logic, data, and emotion. Have a formal process and framework by which to make qualitative and quantitative points, not just using emotional appeals
  • Accountable - Being willing to answer for the outcomes resulting from their own choices, behaviors, and actions. Take ownership of situations that they're involved in
  • Self Motivated - Motivated to do or achieve something because of one's own enthusiasm or interest, without needing pressure from others
  • Focused - Achieve what they set out to do before launching new initiatives. Complete company-linked goals and tasks, not simply to be busy and active
  • Collaborative - A keen ability to support cross-functional projects and decisions. Gets energized from working within a team and cross-functionally to achieve the company's goals. Knows that security is a supporting function of any business and the difference between binary security and scale security

 

The Goods:

  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. Phone reimbursement, paid parking, and commuter benefits included.
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.
  • Fun Team and Perks: We do great work and have fun doing it! Our office comes equipped with hardware of your choice, daily breakfast and snacks, coffee, happy hours, on-site gym, and a fun team to collaborate with.
  • Place Where Your Work Matters and You Grow: As a seed stage company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.

 

StackHawk is proud to be an equal opportunity employer. We are committed to equal opportunity regardless of race, color, ancestry, religion, gender, gender identity, genetic information, parental or pregnancy status, national origin, sexual orientation, age, citizenship, marital status, disability, or Veteran status.

Verified by
Co-Founder & COO
You may also like