WhiteHat Sentinel Dynamic (DAST)

If you prefer to read the entire WhiteHat Service Definition section in PDF format, you can view or print here.

Our dynamic application testing services can be used to test production and pre-production web applications ("Sites"), using a combination of automated testing and manual assessments performed by our TRC engineers.WhiteHat has multiple service lines providing varying degrees of application coverage. A Site in this context is understood as:

One primary host name - This is the main domain associated with a site asset: for example, https://whitehatsec.com.
Up to ten associated host names - These are usually subdomains that cannot be crawled from the primary host but are essential to the function of the site being assessed.

Sentinel-Supported Browsers

WhiteHat Security provides full, certified support for:

supported browsers updated

We test our products in the certified browsers and are committed to remediating defects identified during testing or reported by customers. Customers using non-supported browsers may experience incorrect functionality in some features. WhiteHat encourages customers to use the supported browser versions, both for Sentinel functionality and for improved security.

Additional browsers may be supported on a case by case basis, depending on demonstrated business needs. For additonal browsers, we will also identify and correct defects where a clear business case can be made for doing so. The same level of support guarantee offered with our Certified Supported browsers, cannot be offered for additional browsers. Some older browsers (e.g. IE11) will not be supported. For these browsers, we will not identify or remediate issues. The following is a summary of policies for certified browsers:

Certified browsers are fully supported on all supported operating systems.
Browser releases are evaluated quarterly and browser certifications for WhiteHat Sentinel are updated accordingly.
Discontinued versions of certified browsers will no longer be supported.

Sentinel Dynamic (DAST) Service Detail

WhiteHat offers three levels of DAST services, each having features that make it uniquely appropriate for specific business needs:

Sentinel DAST Baseline Edition (BE)

Baseline Edition (BE) is a basic un-configured scan, designed to assess web applications that do not contain forms, like brochure-ware. This is the core Sentinel offering, including automated scanning and vulnerability verification, and is ideal for identifying your sites and determining the degree of protection that is appropriate for each. Sentinel BE includes identification of technical vulnerabilities, verification of vulnerabilities to eliminate false positives, access to the WhiteHat Threat Research Center for support, and unlimited retesting to ensure your remediation strategies are effective.

Overview Item	Details
Concierge Onboarding	The WhiteHat Implementation Team will: Schedule a video welcome call to review all pertinent information and requirements for onboarding. Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s). Deliver “Welcome” documentation and review customer deliverables to ensure successful on-boarding and utilization.
Sentinel User Interface	The Sentinel user interface offers 24/7 Dashboard access to all your vulnerability information, including: Flexible Reports Executive summary and unit level aggregation of data in flexible formats. Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities. Compliance reports (PCI) available at any time. Access to WhiteHat Engineers The Ask-a-Question feature gives direct access to WhiteHat Security Threat Research Center (TRC) engineers. Questions can be submitted and responses received via the Sentinel UI or via any of the plugins available to allow customers to integrate Sentinel information directly into their IDE or SDLC tools. (24 hour response)
Access to Customer Support	Customer Support is available via the Customer Portal at https://whitehatsec.secure.force.com, where customers can view their cases, submit cases, or access WhiteHat documentation and tools. Customer Support is also available Monday to Friday between 12:00 a.m. and 7:00 p.m. Pacific time at 408-343-8340, or click here to email Customer Support.
Verified Vulnerabilities	When a Sentinel scan discovers a potential vulnerability, the potential vulnerability is reviewed using more than 17 years of data intelligence and human verification. Only once we have verified that the vulnerability is real and actionable will it be posted to your Sentinel interface, eliminating false positive alerts. Automated retesting is available on demand.
Proof of Concept	WhiteHat Security will provide a proof of concept for vulnerabilities.
PCI Compliance	WhiteHat Sentinel Dynamic (PE, SE, and BE) services exceed requirements of the PCI DSS providing on-going verified vulnerability assessments for both public and internal websites.
Open JSON and XML JSON and API Integration	In addition to developing plugins that integrate Sentinel data with common SDLC tools such as Jenkins and JIRA®, WhiteHat Security offers a RESTful JSON and XML-based API that enables customers to create their own integrations with Sentinel and utilize Sentinel data in their own applications. Support for Sentinel Dynamic includes our API documentation and training (see http://apidocs.whitehatsec.com).

Overview Item

Details

Concierge Onboarding

The WhiteHat Implementation Team will:

Schedule a video welcome call to review all pertinent information and requirements for onboarding.
Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s).
Deliver “Welcome” documentation and review customer deliverables to ensure successful on-boarding and utilization.

Sentinel User Interface

The Sentinel user interface offers 24/7 Dashboard access to all your vulnerability information, including:

Flexible Reports
- Executive summary and unit level aggregation of data in flexible formats.
- Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities.
- Compliance reports (PCI) available at any time.
Access to WhiteHat Engineers

The Ask-a-Question feature gives direct access to WhiteHat Security Threat Research Center (TRC) engineers. Questions can be submitted and responses received via the Sentinel UI or via any of the plugins available to allow customers to integrate Sentinel information directly into their IDE or SDLC tools. (24 hour response)

Access to Customer Support

Customer Support is available via the Customer Portal at https://whitehatsec.secure.force.com, where customers can view their cases, submit cases, or access WhiteHat documentation and tools.

Customer Support is also available Monday to Friday between 12:00 a.m. and 7:00 p.m. Pacific time at 408-343-8340, or click here to email Customer Support.

Verified Vulnerabilities

When a Sentinel scan discovers a potential vulnerability, the potential vulnerability is reviewed using more than 17 years of data intelligence and human verification. Only once we have verified that the vulnerability is real and actionable will it be posted to your Sentinel interface, eliminating false positive alerts. Automated retesting is available on demand.

Proof of Concept

WhiteHat Security will provide a proof of concept for vulnerabilities.

PCI Compliance

WhiteHat Sentinel Dynamic (PE, SE, and BE) services exceed requirements of the PCI DSS providing on-going verified vulnerability assessments for both public and internal websites.

Open JSON and XML JSON and API Integration

In addition to developing plugins that integrate Sentinel data with common SDLC tools such as Jenkins and JIRA®, WhiteHat Security offers a RESTful JSON and XML-based API that enables customers to create their own integrations with Sentinel and utilize Sentinel data in their own applications. Support for Sentinel Dynamic includes our API documentation and training (see http://apidocs.whitehatsec.com).

Sentinel DAST Standard Edition (SE)

Standard Edition (SE) includes all the features described under Sentinel BE. In addition, Sentinel SE is a configured scan, designed to provide assessment for permanent web applications that use forms or authentication but that do not require the in-depth business logic testing provided by Sentinel PE. Sentinel Dynamic SE offers all the features of Sentinel Dynamic BE, but also features the following:

Customized Authenticated Scanning WhiteHat Security TRC engineers will configure your site to scan with one set of login credentials. While Sentinel Dynamic BE includes authenticated scanning, no configuration is performed. With Sentinel Dynamic SE, our engineers will configure our scanner to authenticate itself to even the most complicated login processes. If there is an issue with our scanner authenticating itself to the application, our engineers will take action to remedy the issue.
Full Configuration and Form Training WhiteHat TRC engineers will configure the scanner to properly fill out any forms on the web application with valid inputs, as well as teach the scanner to avoid unsafe forms.

Sentinel DAST Premium Edition (PE)

Premium Edition (PE) includes all the features described under Sentinel BE and Sentinel SE. In addition, Sentinel PE includes business logic testing by our TRC engineers,and is designed to assess more complex, high-priority, or mission-critical web applications, including those using multi-step, form-based processes and authentication and those that require both technical and business logic testing.

Annual Business Logic Testing In the annual Business Logic Testing, a team of security engineers will map out and test your web application’s business logic and workflows, paying particular attention to privileges between and across roles and users. This additional testing by our engineers ensures that your business-critical applications are being thoroughly assessed against any form of attack a malicious user may attempt. Vulnerabilities discovered during the business logic assessment are reported in the Sentinel Interface with specific details:
A custom description of the vulnerability and how it is exploitable
Steps to reproduce the vulnerability
The location of the vulnerability
Request and response details
A vulnerability score aligned with PCI and CVSS
Recommended solutions and best practice

Sentinel DAST Limitations

This service does not cover:

APIs (Separate product)
Client-side apps (Thick Clients)
Windows/Mac native apps
Plugin apps
ActiveX Silverlight

Applications with heavy use of asynchronous POST requests cannot be fully scanned via automated testing. However, pairing with a business logic assessment (Sentinel Dynamic PE) can mostly mitigate this issue. Applications with anti-automation functionality cannot be scanned:

Dynamic links (links cannot be reused)
WebSphere
Anti-automation tokens
Sites that enforce requests are sent in a certain order
Other anti-automation techniques

Application that require non-HTTP communication to use/authenticate:

Physical token keys
One-time log-in codes
Email
Two-factor authentication other than SMS or email (SMS for authentication is supported provided texts come from a long-form number, e.g. 555-555-5555, and not a short-form number, e.g. 555-5555.)