WhiteHat Sentinel Dynamic (DAST)
If you prefer to read the entire WhiteHat Service Definition section in PDF format, you can view or print here. |
Our dynamic application testing services can be used to test production and pre-production web applications ("Sites"), using a combination of automated testing and manual assessments performed by our TRC engineers.WhiteHat has multiple service lines providing varying degrees of application coverage. A Site in this context is understood as:
-
One primary host name - This is the main domain associated with a site asset: for example, https://whitehatsec.com.
-
Up to ten associated host names - These are usually subdomains that cannot be crawled from the primary host but are essential to the function of the site being assessed.
Sentinel-Supported Browsers
WhiteHat Security provides full, certified support for:
We test our products in the certified browsers and are committed to remediating defects identified during testing or reported by customers. Customers using non-supported browsers may experience incorrect functionality in some features. WhiteHat encourages customers to use the supported browser versions, both for Sentinel functionality and for improved security.
Additional browsers may be supported on a case by case basis, depending on demonstrated business needs. For additonal browsers, we will also identify and correct defects where a clear business case can be made for doing so. The same level of support guarantee offered with our Certified Supported browsers, cannot be offered for additional browsers. Some older browsers (e.g. IE11) will not be supported. For these browsers, we will not identify or remediate issues. The following is a summary of policies for certified browsers:
-
Certified browsers are fully supported on all supported operating systems.
-
Browser releases are evaluated quarterly and browser certifications for WhiteHat Sentinel are updated accordingly.
-
Discontinued versions of certified browsers will no longer be supported.
Sentinel Dynamic (DAST) Service Detail
WhiteHat offers three levels of DAST services, each having features that make it uniquely appropriate for specific business needs:
Sentinel DAST Baseline Edition (BE)
Baseline Edition (BE) is a basic un-configured scan, designed to assess web applications that do not contain forms, like brochure-ware. This is the core Sentinel offering, including automated scanning and vulnerability verification, and is ideal for identifying your sites and determining the degree of protection that is appropriate for each. Sentinel BE includes identification of technical vulnerabilities, verification of vulnerabilities to eliminate false positives, access to the WhiteHat Threat Research Center for support, and unlimited retesting to ensure your remediation strategies are effective.
Overview Item | Details |
---|---|
Concierge Onboarding |
The WhiteHat Implementation Team will:
|
Sentinel User Interface |
The Sentinel user interface offers 24/7 Dashboard access to all your vulnerability information, including:
|
Access to Customer Support |
Customer Support is available via the Customer Portal at https://whitehatsec.secure.force.com, where customers can view their cases, submit cases, or access WhiteHat documentation and tools. Customer Support is also available Monday to Friday between 12:00 a.m. and 7:00 p.m. Pacific time at 408-343-8340, or click here to email Customer Support. |
Verified Vulnerabilities |
When a Sentinel scan discovers a potential vulnerability, the potential vulnerability is reviewed using more than 17 years of data intelligence and human verification. Only once we have verified that the vulnerability is real and actionable will it be posted to your Sentinel interface, eliminating false positive alerts. Automated retesting is available on demand. |
Proof of Concept |
WhiteHat Security will provide a proof of concept for vulnerabilities. |
PCI Compliance |
WhiteHat Sentinel Dynamic (PE, SE, and BE) services exceed requirements of the PCI DSS providing on-going verified vulnerability assessments for both public and internal websites. |
Open JSON and XML JSON and API Integration |
In addition to developing plugins that integrate Sentinel data with common SDLC tools such as Jenkins and JIRA®, WhiteHat Security offers a RESTful JSON and XML-based API that enables customers to create their own integrations with Sentinel and utilize Sentinel data in their own applications. Support for Sentinel Dynamic includes our API documentation and training (see http://apidocs.whitehatsec.com). |
Sentinel DAST Standard Edition (SE)
Standard Edition (SE) includes all the features described under Sentinel BE. In addition, Sentinel SE is a configured scan, designed to provide assessment for permanent web applications that use forms or authentication but that do not require the in-depth business logic testing provided by Sentinel PE. Sentinel Dynamic SE offers all the features of Sentinel Dynamic BE, but also features the following:
-
Customized Authenticated Scanning WhiteHat Security TRC engineers will configure your site to scan with one set of login credentials. While Sentinel Dynamic BE includes authenticated scanning, no configuration is performed. With Sentinel Dynamic SE, our engineers will configure our scanner to authenticate itself to even the most complicated login processes. If there is an issue with our scanner authenticating itself to the application, our engineers will take action to remedy the issue.
-
Full Configuration and Form Training WhiteHat TRC engineers will configure the scanner to properly fill out any forms on the web application with valid inputs, as well as teach the scanner to avoid unsafe forms.
Sentinel DAST Premium Edition (PE)
Premium Edition (PE) includes all the features described under Sentinel BE and Sentinel SE. In addition, Sentinel PE includes business logic testing by our TRC engineers,and is designed to assess more complex, high-priority, or mission-critical web applications, including those using multi-step, form-based processes and authentication and those that require both technical and business logic testing.
-
Annual Business Logic Testing In the annual Business Logic Testing, a team of security engineers will map out and test your web application’s business logic and workflows, paying particular attention to privileges between and across roles and users. This additional testing by our engineers ensures that your business-critical applications are being thoroughly assessed against any form of attack a malicious user may attempt. Vulnerabilities discovered during the business logic assessment are reported in the Sentinel Interface with specific details:
-
A custom description of the vulnerability and how it is exploitable
-
Steps to reproduce the vulnerability
-
The location of the vulnerability
-
Request and response details
-
A vulnerability score aligned with PCI and CVSS
-
Recommended solutions and best practice
Sentinel DAST Limitations
This service does not cover:
-
APIs (Separate product)
-
Client-side apps (Thick Clients)
-
Windows/Mac native apps
-
Plugin apps
-
ActiveX Silverlight
Applications with heavy use of asynchronous POST requests cannot be fully scanned via automated testing. However, pairing with a business logic assessment (Sentinel Dynamic PE) can mostly mitigate this issue. Applications with anti-automation functionality cannot be scanned:
-
Dynamic links (links cannot be reused)
-
WebSphere
-
Anti-automation tokens
-
Sites that enforce requests are sent in a certain order
-
Other anti-automation techniques
Application that require non-HTTP communication to use/authenticate:
-
Physical token keys
-
One-time log-in codes
-
Email
-
Two-factor authentication other than SMS or email (SMS for authentication is supported provided texts come from a long-form number, e.g. 555-555-5555, and not a short-form number, e.g. 555-5555.)