Why Doesn’t Your CI Pipeline Have Security Bug Testing?

917
StackHawk
This is not security for security people. Application security for engineering teams.

Software Engineering has Changed with CI/CD

Continuous integration and continuous delivery has changed software engineering. Teams are shipping small change sets often and automation has made the life of an engineer a lot simpler. Automation throughout the CI/CD pipeline has touched nearly everything, with integrations and tooling for linting, unit testing, integration testing, deployment, and more.

Application security, however, has been left behind.

While there are a few exceptions, most application security products are dated technology built for an era before DevOps, CI/CD, and modern software engineering products. These products are also built for the security teams instead of the developers who are close to the code. This is obviously a problem.

Application Security: Super Important and Super Broken

It goes without saying that building secure applications is imperative for any engineering team today. Without baking security into your application, your company opens itself up to leaking sensitive data, degrading user experience, or allowing account takeover. As most companies in the world shift to be software-first, application security will only become increasingly important.

While clearly vitally important, current AppSec models are broken. The traditional approaches to application security prioritize training over tooling and finding over fixing. InfoSec teams are holding onto dated practices of periodic, point in time scans of production. Vulnerabilities are kicked back to the engineering team in long lists or large Jira backlogs, which then sit deprioritized over feature development. If the work is pulled into a sprint, it requires the developer to jump back into code that they likely haven’t touched for weeks or months.

Adding to this problem is the fact that the majority of the security products on the market are legacy enterprise tools. They are built for a different era of software development and continue to serve the technology dinosaurs that have yet to adopt modern DevOps workflow. Features are built for security teams and favor long approval chains and reports rather than enabling the developers who will fix the security bugs to get to the job of fixing found issues.

A shift is needed in both culture, workflows, and tooling.

There is a better way 👇.

The AppSec Future: Application Security Tests in Every CI/CD Build

While shifting security left has been a trade show booth tagline for years now, we are at the advent of that truly becoming a reality. In the same way that many engineers now define and monitor their own infrastructure, developers are learning that they can take security testing into their own hands. Proper tooling and pipeline automation will drive this shift.

So what does application security tests in every build look like?

You’ll want to instrument two types of security testing, commonly known as SAST and DAST. SAST (Static Analysis Security Testing) scans your code base and its associated dependencies for known vulnerabilities. DAST (Dynamic Analysis Security Testing) runs tests against a running version of your application to find externally exploitable security bugs. Both are important, and both can be added to your CI builds.

Then, on every merge, your pipeline can run security testing. When a developer adds a security bug, they will be alerted and can quickly fix. Tests should be instrumented later in the pipeline as well to ensure that new bugs are not introduced – think of it as security integration testing. When a bug is found, fixes can be tested locally before kicking off a new build.

A New Breed of AppSec Tooling

To add application security testing to the CI/CD pipeline, the right tools are needed. As mentioned, the traditional security products on the market are heavy on enterprise sales and light on features for the modern dev shop. Luckily, new tools are hitting the market that are built for developer-first security.

As you look at potential tools, here are a few things to consider:

  • How is The App Scanned: Are your DAST scans scheduled against a production environment, or does the tool assume ephemeral environments and pipeline runs? Does the SAST tool want you to zip up your code and ship it off to them, or does it integrate deeply into your source code repository?
  • Support for Modern Applications: Does the tool support modern development paradigms, such as single page applications, GraphQL, or JAM stack applications? Can it work with OpenAPI spec, or does it simply rely on an HTML spider? Does it simply scan publicly available sites, or can it work with multiple forms of authentication?
  • Noise Management: Traditional security tools are noisy with false positives and assume that fixing all findings is a priority over all else. Does the tool support quieting of noise to ensure that your workflows are not blown up by the addition of your security tool?

Getting Started

Adding application security tests to your CI/CD pipeline can feel like a daunting task, but it is actually easy to get started. Here’s how:

  • Pick Your Tools: Select SAST and DAST tools that you can easily try out and add to your pipeline. Make sure they hit on the new breed criteria above. (Hint: if they don’t let you test without first seeing a demo, they probably aren’t built for developers). I’m a little biased, but StackHawk is really the only DAST tool built for developers. And here at StackHawk, we are big fans of Snyk for SAST.
  • Instrument in Pipeline: After configuring your tooling, add it to your CI/CD pipeline. We recommend starting with non-blocking runs at first while you triage any existing backlog of security issues. Now every build will include application security tests. For more examples of configuring pipeline instrumentation with StackHawk, check out our docs or this blog on instrumenting StackHawk with CircleCI.
  • Roll Out Across Engineering: Application security works best when distributed, with engineers fixing their own security bugs as they build software. This happens with a cultural shift first, but a cultural shift happens a lot easier when the right tooling is in place. One thing that helps drive the culture shift is visibility. At StackHawk, we are big fans of pushing the StackHawk results from a pipeline run into Slack. Another thing that helps the culture shift is putting the fix of new issues in the hands of each engineer, while managing the fix of the existing backlog through a different workstream.

At StackHawk, we’re obviously super passionate about this topic. If you want to talk shop, get technical support, or learn more about how we can help here, shoot us a note at hello@stackhawk.com.

StackHawk
This is not security for security people. Application security for engineering teams.
Tools mentioned in article
Open jobs at StackHawk
Lead Technical Support Engineer
(US)

The Role

Are you a passionate technical support professional, looking for your next career adventure and an opportunity to lead and define how technical support is done at a rapidly growing company? If so, read on. StackHawk is growing, and is looking for our first dedicated Technical Support Engineer to help our customers and prospects solve issues they might encounter configuring or using our application security scanning product. This role will provide a first-line of support for customers and prospects, and will enable our organization to continue to scale. As our first dedicated technical support person, you will be expected to define how we do technical support at StackHawk - establishing processes and tools, improving documentation and operationalizing the support process. You will get the opportunity to learn all about the inner workings of application development, DevOps, CI/CD, APIs and Application Security. This is an important foundational role for the company, and one that has lots of career growth potential as the company grows! 

What You’ll Do

  • Respond to technical support requests from customers and prospects
  • Assist customers and prospects configuring and using the StackHawk product and navigate a breadth of different technology configurations, environments and application architectures
  • Triage and troubleshoot technical issues to help identify the root cause and advise customers on how to resolve issues
  • Work closely with Product and Engineering teams to better understand the product, provide feedback and suggestions for possible product enhancements, and escalate issues and bugs when necessary
  • Work closely with Sales and Customer Success teams to enable customers and prospects to be successful with the StackHawk product
  • Review and continually improve support documentation
  • Provide an excellent level of customer service
  • Establish a technical support process, defining how it should operate, the tools and processes it should use, important success metrics, and how it will interact with other parts of the company

About You

  • You are a great Tech Support individual contributor or manager looking for that next step up and are excited about getting into the weeds of supporting StackHawk users
  • You have a passion for providing excellent customer service and support
  • Have excellent written and verbal communication skills
  • Have a high degree of empathy and a desire to help people solve problems
  • Strong troubleshooting skills, which require curiosity, persistence, patience and logical reasoning ability
  • Demonstrated technical skills - such as familiar working in a Unix/Linux command line, familiarity with Docker, basics of how web applications work, shell scripting, familiarity with API protocols such as REST, SOAP or GraphQL
  • Ability and interest to learn complex technical concepts, retain and apply learnings
  • Strong organizational skills
  • Experience establishing and improving a process where none may exist
  • Can operate in a self-directed manner
  • Thrives in a fast-moving startup environment

The Goods

  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. 
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.
  • Fun Team and Perks: We do great work and have fun doing it! Get a great at home equipment setup, a fun team to collaborate with, and other great perks.
  • Place Where Your Work Matters and You Grow: As a seed stage company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.

StackHawk is proud to be an equal opportunity employer. We are committed to equal opportunity regardless of race, color, ancestry, religion, gender, gender identity, genetic information, parental or pregnancy status, national origin, sexual orientation, age, citizenship, marital status, disability, or Veteran status.

Salary range for this role is $80k to $130k, or commensurate with experience.

Senior Software Engineer
(US)

Are you looking for an opportunity to build awesome tools for developers? Can you get excited about revolutionizing application security? Are you willing to tolerate ridiculous bird puns? If you answered “yes!” to at least two of those questions, you should keep reading about an exciting opportunity at StackHawk.

The Role

StackHawk’s Engineering team is growing, and we’re looking for an experienced Software Engineer to join our team and help develop our core product. In this role, you will work directly with members of our Product Development team to build core product features and supporting service APIs. You’ll be a key member of a small growing team that is revolutionizing application security by reducing complexity, providing actionable recommendations, and empowering software engineers to take control of their application security. This position will directly contribute to StackHawk’s goal of identifying and remediating app vulnerabilities in the CI/CD pipeline. You’ll be instrumental in making technology decisions and building out our platform. If you enjoy the challenge of designing and creating new infrastructure and product features on a modern stack, this is the role for you.

What You’ll Do

  • Work collaboratively with engineers and stakeholders to make key technology decisions
  • Design and build core product features and supporting services in a microservices architecture using technologies such as Kotlin, Java, gRPC, Postgres, Docker, Kubernetes and Gradle
  • Design and build RESTful APIs for both the UI and customer facing APIs
  • Build integrations with 3rd-party services such as CI/CD platforms, messaging services and project management tools
  • Build command-line tools for developers
  • Impress your friends with your newfound knowledge of application security concepts, such as Remote OS Command Injection
  • We're an agile, fast growing company and this job description isn't meant to be a complete list of your qualifications or all the things you'll do

About You

  • 5+ years of experience in SaaS software development and design.
  • Expert in either Java, Kotlin or other JVM languages.
  • Proficient in at least one other modern programming language, such as Javascript, Typescript, Golang, Rust or Python. 
  • Experience building containerized services in a modern cloud computing environment, such as Amazon AWS.
  • Experience with microservices architectures, using Docker and container orchestration frameworks like ECS or Kubernetes.
  • Proficient in REST API design principles and tooling such as Swagger and Postman.
  • Experience with backend web application frameworks, such as Spring, Play, or Express.js.
  • Experience with automated build and deployment tools such as Argo, Jenkins, TravisCI, CircleCI.
  • Obsessive about automation and automated testing.
  • Experience taking on leadership roles, either formal or informal, such as mentor or team lead.
  • Persuasive - Bring others to their point of view using logic, data, and emotion. Have a formal process and framework by which to make qualitative and quantitative points, not just using emotional appeals
  • Accountable - Being willing to answer for the outcomes resulting from their own choices, behaviors, and actions. Take ownership of situations that they're involved in
  • Self Motivated - Motivated to do or achieve something because of one's own enthusiasm or interest, without needing pressure from others
  • Focused - Achieve what they set out to do before launching new initiatives. Complete company-linked goals and tasks, not simply to be busy and active
  • Collaborative - A keen ability to support cross-functional projects and decisions. Gets energized from working within a team and cross-functionally to achieve the company's goals. Knows that security is a supporting function of any business and the difference between binary security and scale security

The Goods

  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. 
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.
  • Fun Team and Perks: We do great work and have fun doing it! Get a great at home equipment setup, a fun team to collaborate with, and other great perks.
  • Place Where Your Work Matters and You Grow: As a seed stage company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.

StackHawk is proud to be an equal opportunity employer. We are committed to equal opportunity regardless of race, color, ancestry, religion, gender, gender identity, genetic information, parental or pregnancy status, national origin, sexual orientation, age, citizenship, marital status, disability, or Veteran status.

Salary range for this role is $100k to $160k, or commensurate with experience.

Software Engineer
(US)

Are you looking for an opportunity to build awesome tools for developers? Can you get excited about revolutionizing application security? Are you willing to tolerate ridiculous bird puns? If you answered “yes!” to at least two of those questions, you should keep reading about an exciting opportunity at StackHawk.

The Role

StackHawk’s Engineering team is growing, and we’re looking for a Software Engineer to join our team and help develop our core product. In this role, you will work directly with members of our Product Development team to build core product features and supporting service APIs. You’ll be a key member of a small growing team that is revolutionizing application security by reducing complexity, providing actionable recommendations, and empowering software engineers to take control of their application security. This position will directly contribute to StackHawk’s goal of identifying and remediating app vulnerabilities in the CI/CD pipeline. If you enjoy building services and product features on a modern stack, this is the role for you.

What You’ll Do

  • Work collaboratively with engineers and stakeholders
  • Design and build core product features and supporting services in a microservices architecture using technologies such as Kotlin, Java, gRPC, Postgres, Docker, Kubernetes and Gradle
  • Design and build RESTful APIs for both the UI and customer facing APIs
  • Build integrations with 3rd-party services such as CI/CD platforms, messaging services and project management tools
  • Build command-line tools for developers
  • Impress your friends with your newfound knowledge of application security concepts, such as Remote OS Command Injection
  • We're an agile, fast growing company and this job description isn't meant to be a complete list of your qualifications or all the things you'll do

About You

  • 3+ years of experience in SaaS software development and design.
  • Proficient in at least one modern programming language, such as Java, Kotlin or other JVM languages, Javascript, Typescript, Golang, Rust or Python. 
  • Familiarity working in a modern cloud computing environment, such as Amazon AWS.
  • Some experience with microservices architectures, using Docker and container orchestration frameworks like ECS or Kubernetes.
  • Proficient in REST API design principles and tooling such as Swagger and Postman.
  • Some experience with backend web application frameworks, such as Spring, Play, or Express.js.
  • Obsessive about automation and automated testing.
  • Persuasive - Bring others to their point of view using logic, data, and emotion. Have a formal process and framework by which to make qualitative and quantitative points, not just using emotional appeals
  • Accountable - Being willing to answer for the outcomes resulting from their own choices, behaviors, and actions. Take ownership of situations that they're involved in
  • Self Motivated - Motivated to do or achieve something because of one's own enthusiasm or interest, without needing pressure from others
  • Focused - Achieve what they set out to do before launching new initiatives. Complete company-linked goals and tasks, not simply to be busy and active
  • Collaborative - A keen ability to support cross-functional projects and decisions. Gets energized from working within a team and cross-functionally to achieve the company's goals. Knows that security is a supporting function of any business and the difference between binary security and scale security

The Goods

  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. 
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.
  • Fun Team and Perks: We do great work and have fun doing it! Get a great at home equipment setup, a fun team to collaborate with, and other great perks.
  • Place Where Your Work Matters and You Grow: As a seed stage company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.

StackHawk is proud to be an equal opportunity employer. We are committed to equal opportunity regardless of race, color, ancestry, religion, gender, gender identity, genetic information, parental or pregnancy status, national origin, sexual orientation, age, citizenship, marital status, disability, or Veteran status.

Salary range for this role is $90k to $130k, or commensurate with experience.

Senior Front End Engineer
(US)

Are you a skilled front-end engineer, looking for an opportunity to build awesome tools for developers? Can you get excited about revolutionizing application security? Are you willing to tolerate ridiculous bird puns? If you answered “yes!” to at least two of those questions, you should keep reading about an exciting opportunity at StackHawk.

The Role

StackHawk’s Engineering team is growing, and we’re looking for an experienced Front End Engineer to join our team and help develop our core product. In this role, you will work directly with members of our skilled Product Development team to build front-end product features on our innovative tech stack. You’ll be a key member of a small growing team that is revolutionizing application security by reducing complexity, providing actionable recommendations, and empowering software engineers to take control of their application security. This position will directly contribute to StackHawk’s goal of identifying and remediating app vulnerabilities in the CI/CD pipeline. You’ll be instrumental in making technology decisions as we scale our business and our product. If you enjoy the challenge of building compelling, easy-to-use functionality for developers on a modern stack, this is the role for you.

What You’ll Do

  • Work collaboratively with engineers, UX designers, product managers and other stakeholders to make key technology decisions
  • Build web-based product features using technologies such as React, Redux, TypeScript, Storybook, Jekyll, Gatsby, Contentful, RESTful APIs, Kotlin and Kubernetes
  • Build front-end interfaces in a modern, cloud-based microservices architecture
  • Build automated tests to ensure high quality
  • Help set standards and coding practices for web application development
  • Impress your friends with your newfound knowledge of application security concepts, such as Remote OS Command Injection
  • We're an agile, fast growing company and this job description isn't meant to be a complete list of your qualifications or all the things you'll do

About You

  • 5+ years of experience in SaaS front-end or web application development
  • Expert in Javascript and/or Typescript
  • Proficient in modern UI frameworks like Angular, React, VueJS, etc.
  • Proficient in modern web app technologies HTML5 and CSS and its preprocessors Sass and Less
  • Experience with UI testing frameworks and technologies Mocha, Chai, Jasmine, etc.
  • Experience using and updating REST APIs
  • Experience with UI testing frameworks and tooling such as PhantomJS, Selenium, Cypress and Playwright
  • Has experience building both desktop and mobile-friendly web interfaces
  • Obsessive about automation
  • Excellent communicator. Has experience presenting technical concepts and demos to a non-technical audience.
  • Familiar working on a collaborative, cross-functional agile team.
  • Persuasive - Bring others to their point of view using logic, data, and emotion. Have a formal process and framework by which to make qualitative and quantitative points, not just using emotional appeals
  • Accountable - Being willing to answer for the outcomes resulting from their own choices, behaviors, and actions. Take ownership of situations that they're involved in
  • Self Motivated - Motivated to do or achieve something because of one's own enthusiasm or interest, without needing pressure from others
  • Focused - Achieve what they set out to do before launching new initiatives. Complete company-linked goals and tasks, not simply to be busy and active
  • Collaborative - A keen ability to support cross-functional projects and decisions. Gets energized from working within a team and cross-functionally to achieve the company's goals. Knows that security is a supporting function of any business and the difference between binary security and scale security

The Goods

  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. 
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.
  • Fun Team and Perks: We do great work and have fun doing it! Get a great at home equipment setup, a fun team to collaborate with, and other great perks.
  • Place Where Your Work Matters and You Grow: As a seed stage company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.

StackHawk is proud to be an equal opportunity employer. We are committed to equal opportunity regardless of race, color, ancestry, religion, gender, gender identity, genetic information, parental or pregnancy status, national origin, sexual orientation, age, citizenship, marital status, disability, or Veteran status.

Salary range for this role is $100k to $160k, or commensurate with experience.

Verified by
Co-Founder & COO
You may also like