StackHawk: This Company Makes It Easier For Developers To Fix Application Security Bugs

By Amit Chowdhry • Jan 19, 2024

StackHawk is a company that makes it simple for developers to find and fix application security bugs. Pulse 2.0 interviewed Stackhawk co-founder and chief security officer (CSO) Scott Gerlach to learn more about the company.

Scott Gerlach’s Background

As Chief Security Officer (CSO) and co-founder at StackHawk, Gerlach has over 20 years of experience working in information security, helping solve some of the most complex cybersecurity challenges. And Gerlach said:

“My expertise spans developing, implementing, and managing Information security strategy and policy, risk management, intrusion detection, vulnerability assessment, network security design, application security, and incident response. Before co-founding StackHawk, I served as CSO at SendGrid/Twilio and spent nearly a decade in security at GoDaddy.”

Formation Of StackHawk

How did the idea for StackHawk come together? Gerlach shared:

“Our CEO, Joni Klippert, had built her career in DevOps and was researching ways to pull application security closer to software development. As part of that, she was interviewing CISOs at technology companies and I just so happened to be one of those lucky people – and happened to have some strong opinions about how AppSec was broken. I laid out my thoughts in what I’d describe as a passionate manner, and honestly, I didn’t even think I’d hear from Joni again. But, as it turned out, she also shared a curiosity/frustration that Devs, the ones that introduce and ultimately the only ones that can fix appsec problems, were always the last ones to know about them.”

Favorite Memory

What has been your favorite memory working for the company so far? Gerlach reflected:

“Hmm, I can only pick one….? No, I refuse.

— The first time we showed the StackHawk solution to a Dev and asked what they’d do with this information about the findings and they said, “Probably fix them”. It was our first “Aha!” moment.

— The time the whole team fit into an elevator as we left the office we had just moved into. The next Tuesday was when COVID lockdowns happened. The team showed true passion and resilience as we went full steam ahead while fully dispersed.

— Every time the team has gone to a conference and we get to just decompress and hang out.

— Oh, the first sale wasn’t bad either!”

Core Products

What are the company’s core products and features? Gerlach explained:

“StackHawk’s application and API security testing platform empowers engineers to easily find and fix application security bugs at any stage of the software development lifecycle. Our product focuses on testing in pre-production environments, allowing development teams to actively run security testing as part of their familiar software testing workflows. From testing locally to reviewing pull requests and breaking the build to ensure code is secure before it hits production, StackHawk works where and how users prefer to work, providing AppSec teams with controlled, security-tested applications without slowing down their engineering counterparts. Built for engineers to own the initial triage and resolution of security issues from within their CI/CD workflows, the platform empowers developers to deliver secure, high-quality code at an accelerated rate. By surfacing security bugs in their native development environments, StackHawk allows developers to simultaneously achieve productivity and collaboration with security.”

Evolution Of StackHawk’s Technology

How has the company’s technology evolved since launching? Gerlach noted:

“StackHawk is essentially the same product that our CEO Joni, Chief Architect KC Berg, VP of Design Aaron White, and I strategized on a whiteboard four years ago in Joni’s living room. However, I will say, that our focus on API Testing specialization has been a significant investment and change from where we started. Building the product with the ability to test running APIs for security vulnerabilities was always in the plan, but it has also positioned us uniquely to address the emerging need for comprehensive API security testing. We’re putting a lot of intention into providing the best solution for how we build and deploy APIs today. I’m biased, but I still think we’ve built the best solution on the market for testing APIs during development.”

Significant Milestones

What have been some of the company’s most significant milestones? Gerlach cited:
“Like most startups, it all began with a Seed Round. Then with the initial funding secured, we were able to hire our first two engineers, Sam and Topher, who remain integral to our team today.”

“As we acquired more customers, we continued on to raise Series A and Series B rounds to grow the team and invest more into the product. The thing that’s really significant for me is seeing some really well known brands become customers. It’s fun to see them in the pipeline and listen to how they describe the problems they are trying to solve. It’s like they were in our very early meetings talking about the exact value we are building.”

Customer Success Stories

After asking Gerlach about customer success stories, he cited:

“With cybercrime on the rise at accelerating rates in the past year, security teams are already stretched thin. Data shows that the ratio between security to engineering teams runs 1:100, and engineers spend on average 8 hours triaging one bug. By putting API security testing into the hands of those responsible for building the software, businesses can find and fix bugs and threats directly at the source, effectively streamlining testing and development procedures in the process.”

“StackHawk customer OneMedical shared that StackHawk was the only solution to meet the company’s key criteria of getting developers involved in application security so they could triage issues themselves. Another customer, Maya shared that StackHawk has saved the company approximately two hours each day on back-and-forth conversations for how a vulnerability should be fixed.”

“StackHawk enables teams to scan all endpoints, enabling secure code to be shipped, while saving hours a week in time and resources for developers, DevOps engineers and security team members. In addition, with a modern price point based on code contributors instead of applications, teams can cover all applications and run unlimited scans, within budgetary standards, which historically was not feasible based on legacy tool pricing plans.”

Differentiation From The Competition

What differentiates the company from its competition? Gerlach affirmed:

“At its core, we set out to help Development teams find, understand, and fix API and application security vulnerabilities. We know that serving those teams well is the only way to effectively scale an AppSec program. As a side effect of that, it enables security teams to do more with less. Instead of spending time moving tickets around that no one wants to fix or address, they can spend time consulting about risk and ways to mitigate problems. There’s way more value in that for an organization.”

Future Company Goals

What are some of the company’s future company goals? Gerlach concluded:

“1.) Change the world by helping developers produce more secure software 2.) Change the way people think of DAST by taking a different approach that focuses on testing the APIs directly— Dynamic API Security Testing, as I like to call it.”