tl;dr
The Tools do Different Things. Snyk finds vulnerabilities in your app’s open source dependencies whereas StackHawk finds security bugs that your team has written into the code.
Both Are Important. If you want to ship secure applications, you should be doing both static (Snyk) and dynamic (StackHawk) checks for security bugs. We recommend using both products. And the good news is, both products are free to get started with.
We’re Big Fans of Snyk. Here at StackHawk, we are strong believers in building security tools for developers. Snyk shares our belief and it shows in their product. We use Snyk internally and we are fans.
Read more below to learn about Snyk, StackHawk, and the difference between static analysis of dependencies and dynamic application scanning.
Snyk: Use Open Source, Stay Secure
Snyk (snyk.io) connects to your GitHub repo and builds dependency trees for your applications. It then maps these open source dependencies against a database of known vulnerabilities, surfacing vulnerable open source that has been pulled into your application. Snyk is built for developers, including IDE integrations and inclusion in the CI/CD pipeline. Snyk can automatically open a pull request to update to the secure patched version. Snyk has also recently released a container scanning product that finds vulnerabilities in containers and Kubernetes applications.
StackHawk: Find, Triage, and Fix Security Bugs
StackHawk is an application security tool built to help developers find, triage, and fix security bugs in their applications. The key difference here, is that StackHawk finds bugs that you or your team may have written into the code, not bugs that exist in open source dependencies. StackHawk scans a running version of your application, either in local development or in the CI/CD build pipeline. Because it is scanning a running version of the app, it finds the same bugs that would be available to an outside attacker of the application.
StackHawk find bugs such as SQL Injection, Arbitrary Code Execution, OS Command Injection, Path Traversal, Cross Site Scripting, Cross Site Request Forgery, Open Redirect and More. Many of these bugs are the same type that you would find with an application dependency checker like Snyk, but the way in which they are introduced into the app is different.
Dynamic vs. Static Scanning: A Primer
As mentioned, the key difference between Snyk and StackHawk is that they are different categories of tools. Snyk is a static analysis tool and dynamic scanning tool. Static Analysis Security Testing (SAST) tools scan the source code of an application for vulnerabilities in dependencies whereas Dynamic Application Security Testing (DAST) tools scan the running application for security bugs. These approaches are sometimes called whitebox for SAST and blackbox for DAST, pointing to the perspective when assessing vulnerabilities. Whitebox / SAST scans assume a knowledge of the code whereas the blackbox / DAST scans have the same perspective as an outside attacker, with no prior knowledge of the application.
Both dynamic and static scanning are important for building secure apps. We recommend setting up free versions of StackHawk and Snyk to start testing and fixing security bugs.