SAST Cloud Upload

Introduction to WhiteHat Sentinel Application Security Testing

Sentinel Source, WhiteHat’s Static Application Security Testing (SAST) offering, identifies vulnerabilities and provides detailed vulnerability descriptions and remediation advice, as well as precise ready-to-implement remediation solutions for certain vulnerabilities. Sentinel Source enables you to:

  • Assess code at any point in the SDLC.

  • Run scheduled assessment daily or on demand.

  • Stay up-to-date on the latest attacks with Rule Packs that identify and verify vulnerability defects.

  • Scale security to meet the needs of your organization with automated, always-on cloud based platforms

  • Easily discover and assess the size (in lines of code or MB) of your apps with supported files types using WhiteHat’s Count Lines of Code (WHLOC) tool.

Using the SAST cloud upload feature allows you to access all of the functionality of Sentinel Source without having to create an appliance within your environment to serve as a repository for your source code. You can upload your source code in either binary or archive format and Sentinel Source performs scans against the source code that you uploaded.

All cloud upload files are deleted after 15 days, but the scan results remain available. The last five file uploads are recorded in the Scan Log table of the Scan tab under Asset Management page

Configuring Your Account

You must configure your account to enable file upload for SAST and SCA applications to WhiteHat Security’s Cloud. Use the following instructions to configure your account:

  1. Open Sentinel and select the Admin tab.

admin account overview

  1. Select the Account Overview subtab.

  2. Scroll down to the Configure Accounts section and select the first checkbox, Enable file upload for SAST and SCA applications to WhiteHat Security’s Cloud, if necessary.

cloud upload confirm

  1. Select the checkbox to verify that you give WhiteHat Security permission to decompile any code that you upload.

  2. Click the Save button.

This is a one-time non-reversible requirement, so the checkboxes may already be selected. If file upload is already enabled, the user who enabled this feature is displayed.

Uploading Files

To upload files using cloud upload:

  1. Open Sentinel and select the Assets tab.

assets add application

  1. Click the Add Asset button, then select Add Application or Add Application (SCA).

  2. On the Add Application screen, select a Service Level for the application.

cloud provide asset details

  1. Provide an Asset Name for the application.

  2. Select the WhiteHat Cloud radio button for the Scan Location.

  3. You can provide a Custom Asset ID if you have an internal Asset ID that you would like to have associated with the application. It’s displayed in reports after the Asset Name.

  4. Click Next to move to the Add Codebase screen.

If file upload has not been enabled, a message is displayed with a link to the Account Overview subtab of the Assets tab so that you can enable file uploads.

  1. Either drag and drop your files to the upload area, or click on browse to browse to the location of your files and select your files to upload.

  2. Once your files have uploaded, click Next to move to the Configure Scan screen.

  3. Alternatively, click Skip and Create Now. If you have not uploaded a codebase, this will create the application as an asset without a codebase. If you have uploaded a codebase, it will create the application as an asset without configuring any scans.

If you do not upload a codebase at this time, you MUST upload the codebase before any scanning can be performed. To upload the codebase at a later date, click on the Needs File Upload link in the asset’s entry on the Asset Management list.

  1. From the dropdown, select a Scan Profile for the application.

cloud configure scan

  1. Select the appropriate radio button for the Scan Type you wish to perform. Pre Scan is a parse-only scan to check configuration and identify licenses needed for a full scan. Pre Scan DOES NOT identify vulnerabilities or consume any WhiteHat licenses. Full Scan is a deep scan that identifies vulnerabilities which are then confirmed by WhiteHat TRC. Full Scan requires and consumes an appropriate license.

  2. Click Create Now to create the application as an asset.

Rescan Files

If you have updated your codebase for an application, you will need to upload the updated codebase to perform a rescan of the application.

To rescan an application that you have already created:

  1. Open Sentinel and click the Assets tab.

  2. On the Asset Management screen, click the name of the application that you want to rescan.

  3. Click the Request Scan button.

  4. Either drag and drop your files to the upload area, or click on browse to browse to the location of your files and select your files to upload.

cloud request scan

  1. Click the Upload and Scan button.