WhiteHat Dynamic (DAST)

If you prefer to read the entire WhiteHat Service Definition section in PDF format, you can view or print here.

Our dynamic application testing services can be used to test production and pre-production web applications ("Sites"), using a combination of automated testing and manual assessments performed by our Threat Research Center (TRC) engineers. Synopsys has multiple WhiteHat service lines providing varying degrees of application coverage. A Site in this context is understood as:

One primary host name - This is the main domain associated with a site asset: for example, https://www.synopsys.com.
Up to ten associated host names - These are usually subdomains that cannot be crawled from the primary host but are essential to the function of the site being assessed.

WhiteHat Portal-Supported Browsers

The WhiteHat Portal provides full, certified support for the Google Chrome and Mozilla Firefox browsers.

supported browsers updated

We test our products in the certified browsers and are committed to remediating defects identified during testing or reported by customers. Customers using non-supported browsers may experience incorrect functionality in some features. Synopsys encourages customers to use the supported browser versions, both for WhiteHat Portal functionality and for improved security.

Additional browsers may be supported on a case by case basis, depending on demonstrated business needs. For additional browsers, we will also identify and correct defects where a clear business case can be made for doing so. The same level of support guarantee offered with our Certified Supported browsers, cannot be offered for additional browsers. Some older browsers (e.g. IE11) will not be supported. For these browsers, we will not identify or remediate issues. The following is a summary of policies for certified browsers:

Certified browsers are fully supported on all supported operating systems.
Browser releases are evaluated quarterly and browser certifications for the WhiteHat Portal are updated accordingly.
Discontinued versions of certified browsers will no longer be supported.

WhiteHat Dynamic (DAST) Service Detail

Synopsys offers three levels of WhiteHat DAST services, each of which has features that are uniquely appropriate for specific business needs:

WhiteHat DAST Baseline Edition (BE)

Baseline Edition (BE) is a basic unconfigured scan, designed to assess web applications that do not contain forms, like brochure-ware. This is the core Sentinel offering, including automated scanning and vulnerability verification, and is ideal for identifying your sites and determining the degree of protection that is appropriate for each. Sentinel BE includes identification of technical vulnerabilities, verification of vulnerabilities to eliminate false positives, access to the Synopsys Threat Research Center for support, and unlimited retesting to ensure your remediation strategies are effective.

Overview Item	Details
Concierge Onboarding	The Synopsys Implementation Team will: Schedule a video welcome call to review all pertinent information and requirements for onboarding. Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s). Deliver “Welcome” documentation and review customer deliverables to ensure successful on-boarding and utilization.
WhiteHat Portal User Interface	The WhiteHat Portal user interface offers 24/7 Dashboard access to all your vulnerability information, including: Flexible Reports Executive summary and unit level aggregation of data in flexible formats. Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities. Compliance reports (PCI) available at any time. Access to Synopsys Engineers The Ask-a-Question feature gives direct access to Synopsys Threat Research Center (TRC) engineers. Questions can be submitted and responses received via the WhiteHat Portal UI. If the Ask-a-Question feature is enabled, questions can also be asked through the Sentinel JIRA® plugins, allowing customers to integrate WhiteHat information directly into their issue tracking software. (24 hour response.)
Access to Customer Support	Customer Support is available via the Synopsys Software Integrity Community at https://community.synopsys.com/s/, where customers can view their cases, submit cases, or access WhiteHat Dynamic documentation and tools. You can click here to email Customer Support.
Verified Vulnerabilities	When a Sentinel scan discovers a potential vulnerability, the potential vulnerability is reviewed using more than 17 years of data intelligence and human verification. Only once we have verified that the vulnerability is real and actionable will it be posted to your WhiteHat Portal interface, eliminating false positive alerts. Automated retesting is available on demand.
Proof of Concept	Synopsys will provide a proof of concept for vulnerabilities.
PCI Compliance	WhiteHat Dynamic (PE, SE, and BE) services exceed requirements of the PCI DSS providing on-going verified vulnerability assessments for both public and internal websites.
Open JSON and XML JSON and API Integration	In addition to developing plugins that integrate WhiteHat data with JIRA®, Synopsys offers a RESTful JSON and XML-based API that enables customers to create their own integrations with the WhiteHat Portal and utilize its data in their own applications. Support for WhiteHat Dynamic includes our API documentation and training (see http://apidocs.whitehatsec.com).

Overview Item

Details

Concierge Onboarding

The Synopsys Implementation Team will:

Schedule a video welcome call to review all pertinent information and requirements for onboarding.
Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s).
Deliver “Welcome” documentation and review customer deliverables to ensure successful on-boarding and utilization.

WhiteHat Portal User Interface

The WhiteHat Portal user interface offers 24/7 Dashboard access to all your vulnerability information, including:

Flexible Reports
- Executive summary and unit level aggregation of data in flexible formats.
- Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities.
- Compliance reports (PCI) available at any time.
Access to Synopsys Engineers

The Ask-a-Question feature gives direct access to Synopsys Threat Research Center (TRC) engineers. Questions can be submitted and responses received via the WhiteHat Portal UI. If the Ask-a-Question feature is enabled, questions can also be asked through the Sentinel JIRA® plugins, allowing customers to integrate WhiteHat information directly into their issue tracking software. (24 hour response.)

Access to Customer Support

Customer Support is available via the Synopsys Software Integrity Community at https://community.synopsys.com/s/, where customers can view their cases, submit cases, or access WhiteHat Dynamic documentation and tools.

You can click here to email Customer Support.

Verified Vulnerabilities

When a Sentinel scan discovers a potential vulnerability, the potential vulnerability is reviewed using more than 17 years of data intelligence and human verification. Only once we have verified that the vulnerability is real and actionable will it be posted to your WhiteHat Portal interface, eliminating false positive alerts. Automated retesting is available on demand.

Proof of Concept

Synopsys will provide a proof of concept for vulnerabilities.

PCI Compliance

WhiteHat Dynamic (PE, SE, and BE) services exceed requirements of the PCI DSS providing on-going verified vulnerability assessments for both public and internal websites.

Open JSON and XML JSON and API Integration

In addition to developing plugins that integrate WhiteHat data with JIRA®, Synopsys offers a RESTful JSON and XML-based API that enables customers to create their own integrations with the WhiteHat Portal and utilize its data in their own applications. Support for WhiteHat Dynamic includes our API documentation and training (see http://apidocs.whitehatsec.com).

WhiteHat DAST Standard Edition (SE)

Standard Edition (SE) includes all the features described under WhiteHat Dynamic BE. In addition, WhiteHat Dynamic SE is a configured scan, designed to provide assessment for permanent web applications that use forms or authentication but that do not require the in-depth business logic testing provided by WhiteHat Dynamic PE. WhiteHat Dynamic SE offers all the features of WhiteHat Dynamic BE, but also features the following:

Customized Authenticated Scanning Synopsys TRC engineers will configure your site to scan with one set of login credentials. While WhiteHat Dynamic BE includes authenticated scanning, no configuration is performed. With WhiteHat Dynamic SE, our engineers will configure our scanner to authenticate itself to even the most complicated login processes. If there is an issue with our scanner authenticating itself to the application, our engineers will take action to remedy the issue.
Full Configuration and Form Training Synopsys TRC engineers will configure the scanner to properly fill out any forms on the web application with valid inputs, as well as teach the scanner to avoid unsafe forms.

WhiteHat DAST Premium Edition (PE)

Premium Edition (PE) includes all the features described under WhiteHat Dynamic BE and SE. In addition, WhiteHat Dynamic PE includes business logic testing by our TRC engineers, and is designed to assess more complex, high-priority, or mission-critical web applications, including those using multi-step, form-based processes and authentication and those that require both technical and business logic testing.

Annual Business Logic Testing In the annual Business Logic Testing, a team of security engineers will map out and test your web application’s business logic and workflows, paying particular attention to privileges between and across roles and users. This additional testing by our engineers ensures that your business-critical applications are being thoroughly assessed against any form of attack a malicious user may attempt. Vulnerabilities discovered during the business logic assessment are reported in the WhiteHat Portal interface with specific details:
- A custom description of the vulnerability and how it is exploitable.
- Steps to reproduce the vulnerability.
- The location of the vulnerability.
- Request and response details.
- A vulnerability score aligned with PCI and CVSS.
- Recommended solutions and best practice.

WhiteHat DAST Limitations

This service does not cover:

APIs (Separate product)
Client-side apps (Thick Clients)
Windows/Mac native apps
Plugin apps
ActiveX Silverlight

Applications with heavy use of asynchronous POST requests cannot be fully scanned via automated testing. However, pairing with a business logic assessment (WhiteHat Dynamic PE) can mostly mitigate this issue. Applications with anti-automation functionality cannot be scanned:

Dynamic links (links cannot be reused)
WebSphere
Anti-automation tokens
Sites that enforce requests are sent in a certain order
Other anti-automation techniques

Application that require non-HTTP communication to use/authenticate:

Physical token keys
Two-factor authentication other than SMS or email (SMS for authentication is supported provided texts come from a long-form number, e.g. 555-555-5555, and not a short-form number, e.g. 555-5555.)