67 StackHawk Reviews
Overall Review Sentiment for StackHawk
Log in to view review sentiment.
My team began using Stackhawk a few months ago for just one application that supports a website product. It provides us with potentially overlooked security risks and allows us additional verififcation data that risks/issues are mitigated as we expect.
1. Easy. Stackhawk provides tooling that is incredibly easy to setup. They provide awesome documentation to start using the CLI. I also recommend the web UI though as the configuration is super straightfoward.
2. Informative. The results of Stackhawk security scans are fantastic. The details on risks/items identified are useful, clear, and nicely visualized. The web tool also provides utilities (ie copy as cURL) to attempt reproduce specific test failures or run further diagnoses.
3. Thorough for APIs. Finally, the security scanning tools are exceptional for API based applications/systems. Especially with a strict typing based architecture like GraphQL, Stackhawk can really provide high value ouputs for a relatively tiny setup cost/effort. Review collected by and hosted on G2.com.
I wouldn't say I dislike anything provided by Stackhawk at the moment. However, in the relatively contained method that we've used the tool, we have a few recommendations available for consideration.
1. Organization by concern area. The output risk items are nicely tagged. However, it would be valuable to provide tags or areas upfront that customizes/modifies the type of scan that is executed (ie targeting risks for cross-site scripting)
2. Technology-specific or stack-specific scans. Our application is a Ruby on Rails website and Stackhawk currently treats that as a generic web app. This is not a problem but as Stackhawk expands it would be interesting to drill-down on high-value tests that are relevant to an application's current architecture.
3. Github Security issues. Lastly, since we use Github actions for CI, it would be awesome to see an integration where Stackhawk risks are written straight to the repository's security items. I'm sure this is already possible today and is a matter of time before it becomes built-in. Review collected by and hosted on G2.com.
Can find the most common vulnerabilities in common web applications. Easy to use and nice UI. Review collected by and hosted on G2.com.
It comes nowhere near close to a real pen-testing, and it doesn't find many vulnerabilities in GraphQL. Review collected by and hosted on G2.com.
1. Comprehensive insights - Within an hour after doing the initial setup, I had actionable suggestions for issues I probably wouldn't have discovered otherwise. Most notably, it managed to identify cases in which my code would misbehave against hostile input, despite the fact that the code seemed perfectly fine from a logical point of view; the actual culprit was likely a mix of software versions and library dependencies, but this insight allowed me to develop a secure workaround.
It also had many other suggestions, which were very much welcome, and I feel a lot more confident that I've done right by my users after enacting those changes.
2. Insights are easy to replicate - the request and response are detailed for each call, so you can verify them yourself.
3. A final plus worth noting is that it's easy to integrate with your CI/CD pipeline on most of the popular repository hosting sites. It's also highly configurable - you can decide how long you want the scanner to run for in total and for each individual rule it checks against as well. This makes it easier to sustain, as you might want lighter checks if you run it often. Review collected by and hosted on G2.com.
The setup isn't the easiest compared to some competitors. You do have to download a Docker image and run the scanner, or integrate it into your CI/CD pipeline. However, this is a minor nitpick and I was up and running in less than 20 minutes. Review collected by and hosted on G2.com.
The StackHawk tool has great documentation and is very intuitive to set up for a developer and for a DevOps person. With StackHawk, we can find vulnerabilities in a running environment rather than a static environment, which meant that we are aware of the threats to our application in a live environment. StackHawk has loads of CICD and notification integrations, although a few popular notification channels such as Discord are missing, which are used in most personal projects. Review collected by and hosted on G2.com.
StackHawk lacks the feature to set optional integrations for certain applications and environments. All scan results from all applications and environments are sent to all integrations that are enabled. In the Datadog integration, the overall risk level is not sent and it is inconvenient to set up custom parsing rules to calculate the risk level and alert based on that. StackHawk requires a docker image for running tests in CICD, and not all applications are containerized, making this incompatible for non-containerized applications. A JUnit report format would have been an excellent addition to the existing list of JSON and PDF report formats. Review collected by and hosted on G2.com.
It quickly finds the bug and supports our team by fixing that security vulnerability. It helps my team with REST and GraphQL API Scanning & Simple Fix Documentations too. It's easy to use. Review collected by and hosted on G2.com.
To this date,I Haven't found any issues from stackhawk. Review collected by and hosted on G2.com.
Stackhawk is an handy tool when it comes to security testing as well as operating. Tool helps me to avoid Vulnerable bugs. UI/UX of Stackhawk is top-notch and has vibrant colours. Review collected by and hosted on G2.com.
Stackhawk isn't great when it comes to setup of the software as it requires docker image for running in CI/CD pipeline which makes incompetent for non-containerized applications and it's support team is best. Review collected by and hosted on G2.com.
In no particular order:
I love their UI/UX. It presents issues clearly, where I can easily give them to junior programmers to investigate & fix with nothing more than a link to an issue or a scan. It provides good explanations for the issues it flags, as well as links to blog articles about the issues (sometimes specific to dealing with it in our particular framework). It also has detailed request data, including a cURL command to reproduce the issue, the response body, and highlights "evidence" it found attempting to prove that an issue is not a false positive.
Their PDF reports aren't just a print version of the dashboard, but a well-formatted, good-looking, PDF-specific design that is a good deliverable for clients or just to record our security issues at a particular moment in time. Their dashboard is also easy to grok as well.
I like that unlike other static analyzers that scan code to assess potential vulnerabilities, StackHawk scans your site to actually try to trigger vulnerabilities and produce evidence. Through this method, StackHawk found XSS vulnerabilities and warned about other potential issues that other tools didn't find, and were clearly reproduceable. Also, this method is more confidence inspiring, and has produced much fewer false positives than code analysis. Our company still uses static code analysis, as it is quick & cheap (good for continuous integration), but we now consider StackHawk the definitive tool for programmatic asessment of security vulnerabilities.
I also like their pricing model. The free tier is legitimately useful, the pricing upgrades make sense, and I can just do it all myself. Several competitors offer similar scan products but cost thousands of dollars per year and require talking to an account manager to set up. I did talk to a couple sales reps for other products, and as a non-profit looking to keep costs low, two different sales reps never got back to me about discounted plans (and their free plans were just limited trials). One I never actually tried because the whole product was paywalled, which is fine for bigger clients I assume, but inaccessible to me. Review collected by and hosted on G2.com.
The only downside to StackHawk so far is the time a scan takes. While static code analysis can take just minutes, or even seconds when focusing on the files in a particular changeset, StackHawk's scans take hours to complete and require us to either ramp up our test server capacity or dedicate a developer's machine to the scan. Slow scan time is fine if we're focused on security for a particular assessment or quarterly review, but we can't use it as part of our continuous integration pipeline "out of the box." They do have documentation on reducing scan times by optimizing the routes it looks at, parallelizing certain areas of the site, etc, but we'd have to set up a fair bit of infrastructure to get this working. We might, someday, but it's certainly not as easy as just hooking up a code analyzer to Github.
Also, once you resolve an issue with your site, I couldn't find a way to re-run just that one issue and update the scan report because there isn't (or doesn't seem to be) a central list of issues. Instead, you have a list of scans, and although scans do show previously assigned/accepted/ignored issues as such in new scans, it displays scans as islands of their own. This just means to get a "clean" report we have to run an entirely new scan, which takes time, unless we also spend time optimizing our scan time. So far I've just let it run overnight, which minimizes my time spent, but re-checking just one issue would be nice. Review collected by and hosted on G2.com.
Many people aren't familiar with application security testing, development security operations, or the dynamic tools that can be used to test and monitor products. I love how StackHawk allows a single point of context to maintain a developer account for free. At the same time, a single pro user is (at the time of writing this) roughly $35/month, around the same as a typical gym membership. Application security is critically important, and StackHawk makes it available to nearly everyone. Review collected by and hosted on G2.com.
There's nothing specifically to dliike, though I'd love to have more real time visual analytics formatted for mobile access. Review collected by and hosted on G2.com.
Stackhawk does a great job making configuring and running the scan as easy as possible by wrapping everything up to a docker container that can run both locally by developers and on CI. Review collected by and hosted on G2.com.
We've had to put in a little effort to get it to work with OAuth authentication, but it's much less work and more straightforward than anything else we tried. Review collected by and hosted on G2.com.
