Podcast Summary: StackHawk and Shift-Left API Security with Scott Gerlach

Podcast Information:

• Title: Software Engineering Daily
• Host/Author: Software Engineering Daily
• Description: Technical interviews about software topics.
• Episode: StackHawk and Shift-Left API Security with Scott Gerlach
• Release Date: March 6, 2025

Introduction

In this episode of Software Engineering Daily, host Gregor Vand interviews Scott Gerlach, co-founder and Chief Security Officer (CSO) at StackHawk. Scott brings a wealth of experience from his previous roles at SendGrid and GoDaddy, where he led security operations and engineering teams. The conversation delves deep into the evolving landscape of API security, the challenges faced by software teams, and how StackHawk is pioneering solutions to address these issues.

Guest Introduction

Scott Gerlach introduces himself as a seasoned security professional with nearly a decade of experience managing security teams. His journey includes pivotal roles at major companies like GoDaddy and SendGrid, culminating in the co-founding of StackHawk after recognizing significant gaps in application security (AppSec).

[00:00] Scott Gerlach: "APIs are a fundamental part of modern software systems and enable communication between services, applications and third-party integrations. However, their openness and accessibility also make them a prime target for security threats."

API Security Challenges

The discussion begins with the inherent vulnerabilities of APIs. As the backbone of modern software, APIs facilitate critical interactions but also present numerous security challenges. Scott emphasizes the dual nature of APIs—while they enable seamless integration and functionality, they are equally susceptible to exploitation due to their exposed nature.

[10:41] Gregor Vand: "APIs are literally just roads to your database. That's pretty much the simplest way to put it."

Scott elaborates on the complexity introduced by the proliferation of APIs and the impact of Large Language Models (LLMs) on software development, which inadvertently contributes to API sprawl and potential security weaknesses.

StackHawk's Proactive Approach to API Security

StackHawk distinguishes itself by adopting a proactive stance on API security, aiming to identify and mitigate vulnerabilities before they can be exploited. Unlike traditional reactive methods that address issues post-incident, StackHawk focuses on continuous monitoring and testing to maintain robust security postures.

[08:15] Scott Gerlach: "The proactive side is one of the things that I've kind of lived my security life by... being proactive helps reduce the amount of risk that they're putting out onto the Internet."

This proactive methodology aligns with the "shift-left" philosophy, integrating security earlier into the development lifecycle to prevent vulnerabilities from arising in the first place.

Discovery and Attack Simulation

A core functionality of StackHawk is its ability to discover APIs by scanning source code repositories. By connecting directly to a company's source code, StackHawk identifies various API types—REST, GraphQL, SOAP, etc.—and assesses their security postures through dynamic application security testing (DAST).

[12:53] Scott Gerlach: "We think about source code as the source of truth for any company that's writing software for any value at all."

Once APIs are discovered, StackHawk simulates real-world attacks to evaluate their resilience. This involves testing APIs with both valid and invalid data to uncover potential vulnerabilities and business logic flaws.

REST vs. GraphQL Complexity

The conversation explores the differing complexities between REST and GraphQL APIs. Scott highlights that while GraphQL offers self-documentation benefits, it also introduces unique security challenges such as recursion attacks. StackHawk caters to both API types, ensuring comprehensive security coverage regardless of the chosen architecture.

[17:25] Scott Gerlach: "GraphQL is really good about self-documentation and REST is not. That's the very first difference..."

Impact of Generative AI on Code and Security

The advent of Generative AI tools like GitHub Copilot has revolutionized code generation, leading to faster development cycles but also introducing new security concerns. Scott discusses how AI-generated code can inadvertently embed vulnerabilities, necessitating robust security testing tools like StackHawk to validate and secure the generated code.

[20:45] Scott Gerlach: "The LLM being able to write code... is contributing to the explosion of APIs... introducing vulnerabilities."

He further envisions a future where AI tools not only generate code but also provide real-time security feedback, akin to a spell-checker for code integrity.

Developer Experience (DevEx) and StackHawk Integration

StackHawk is designed with developers in mind, emphasizing ease of integration and configuration. Utilizing YAML for configuration, StackHawk allows developers to seamlessly incorporate security testing into their workflows without disrupting their development processes.

[29:10] Scott Gerlach: "The way that we build the tool and how you use it... is really, really dev friendly configuration as code. We use YAML."

Additionally, StackHawk offers authenticated scanning, a critical feature that allows DAST tools to navigate and test behind authentication barriers, ensuring comprehensive security assessments.

StackHawk vs. Competitors

When compared to competitors like Snyk, StackHawk emphasizes speed and developer-centric design. Scott critiques some competitors for their slower scanning processes and less intuitive developer experiences, positioning StackHawk as a more agile and user-friendly alternative.

[38:00] Scott Gerlach: "It's a security like click checkbox security tool that you put something on the Internet and you scan it and hope that there's nothing bad in there when the results come back in a couple days."

Industry Focus: Financial Sector

StackHawk serves a diverse clientele, including a significant presence in the financial services sector. Scott notes that while APIs in financial institutions may not differ drastically from other industries, the stringent regulatory requirements make robust API security paramount.

[41:34] Scott Gerlach: "There's a ton of regulation... companies can make that an advantage to your company by integrating the security process."

Closing Remarks

In wrapping up, Scott underscores the importance of integrating security tools like StackHawk early in the development process to foster a culture of security-minded development. He encourages listeners to explore StackHawk through a free trial or by booking a demo to experience its capabilities firsthand.

[43:29] Scott Gerlach: "You can always start a free trial of Stackhawk... we'd be happy to give you a demo, help you out, understand how Stackhawk can help your business."

Gregor concludes the episode by highlighting the value StackHawk brings to modern software development, particularly in enhancing API security and streamlining developer workflows.

[45:51] Gregor Vand: "Coming on, telling us all about Stackhawk. Sounds like an awesome platform."

Key Takeaways:

• Proactive API Security: Emphasizing early detection and mitigation of vulnerabilities.
• Comprehensive API Coverage: Supporting various API types, including REST and GraphQL.
• Developer-Centric Design: Ensuring seamless integration into development workflows.
• Impact of AI on Development: Addressing security challenges introduced by AI-generated code.
• Industry Relevance: Serving sectors with stringent security and regulatory requirements, notably finance.

Notable Quotes:

• Scott Gerlach: "[...] being proactive helps reduce the amount of risk that they're putting out onto the Internet." [08:15]
• Gregor Vand: "APIs are literally just roads to your database." [10:41]
• Scott Gerlach: "GraphQL is really good about self-documentation and REST is not." [17:25]
• Scott Gerlach: "The LLM being able to write code... is contributing to the explosion of APIs... introducing vulnerabilities." [20:45]
• Scott Gerlach: "...a security like click checkbox security tool that you put something on the Internet and you scan it and hope that there's nothing bad in there..." [38:00]

This episode provides invaluable insights into the state of API security, the innovative approaches StackHawk employs to safeguard modern software systems, and the evolving dynamics between development, security, and emerging technologies like AI.