Case Study: Change.org achieves formalized, dev-first security and drastically reduced vulnerabilities with StackHawk

Change.org Brings in Dev-First Security Solutions to Improve Security Posture

Change.org, the world’s largest tech platform for social change with over half a billion users and millions visiting daily, faced inconsistent and fragmented security practices as individual engineers handled scans and remediation in isolation. To formalize their security process and better protect user data and critical petition content, Change.org adopted dev‑first security tools including StackHawk’s Dynamic Application Security Testing (DAST) alongside Snyk’s Static Application Security Testing (SAST).

By integrating Snyk SAST with StackHawk DAST on their AWS‑hosted platform, Change.org shifted left—testing code for security issues before deployment and standardizing how scans and fixes are performed. StackHawk’s solution helped drastically reduce vulnerabilities across the website and backend, enabled faster engineer remediation, improved operational efficiency, and strengthened protections for the millions who use Change.org every day.

Change.org

Will Whittaker

Principal Security Engineer