API Testing

If you prefer to read the entire Continuous Dynamic Service Definition section in PDF format, you can view or print here.

Dynamic testing is available for standalone APIs, i.e., APIs without an HTML front-end for scanners to crawl. We rely on the client to provide API documentation, which is then used as the basis for testing.

AutoAPI

AutoAPI is analogous to Continuous Dynamic Standard Edition (SE). It uses the same scanning engine, but it learns what requests to make by parsing the customer-provided documentation instead of a website’s HTML. All vulnerabilities are verified by a human engineer or well-trained machine learning model before getting posted to the portal. Proofs-of-concept are provided in vulnerability descriptions as appropriate. Retests are available on demand.

It shares a platform with our other services:

Overview Item Details

Concierge Onboarding

The Black Duck Implementation Team will:

  • Schedule a video welcome call to review all pertinent information and requirements for onboarding.

  • Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s).

  • Deliver "Welcome" documentation and review customer deliverables to ensure successful on-boarding and utilization.

Continuous Dynamic User Interface

The Continuous Dynamic user interface offers 24/7 Dashboard access to all your vulnerability information, including:

  • Flexible Reports

    • Executive summary and unit level aggregation of data in flexible formats.

    • Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities.

    • Compliance reports (PCI) available at any time.

  • Access to Black Duck Engineers

    The Ask-a-Question feature gives direct access to Black Duck Security Threat Research Center (TRC) engineers. Questions can be submitted and responses received via the Sentinel UI. If the Ask-a-Question feature is enabled, questions can also be asked through the Sentinel JIRA® plugins, allowing customers to integrate Sentinel information directly into their issue tracking software. (24 hour response.)

Access to Customer Support

Customer Support is available in the Black Duck Community, where customers can view their cases, submit cases, or access Continuous Dynamic documentation and tools.

You can also click here to email Customer Support.

PCI Compliance

Continuous Dynamic (PE, SE, and BE) services exceed requirements of the PCI DSS providing on-going verified vulnerability assessments for both public and internal websites.

Open JSON and XML JSON and API Integration

In addition to developing plugins that integrate Continuous Dynamic data with JIRA®, Black Duck offers a RESTful JSON and XML-based API that enables customers to create their own integrations with Continuous Dynamic and utilize Continuous Dynamic data in their own applications. Support for Continuous Dynamic includes our API documentation and training (see http://apidocs.whitehatsec.com).

API Business Logic Assessment (BLA)

This is analogous to Continuous Dynamic Premium Edition (PE). The difference from AutoAPI is that an API BLA is done manually, at a single point in time. It matches the vulnerability class coverage of AutoAPI, but includes additional testing for authentication/authorization issues, file upload issues, multi-step workflow bypasses, etc. Humans can understand the meaning of responses in a way that computers cannot.