Continuous Dynamic (DAST)

If you prefer to read the entire Continuous Dynamic Service Definition section in PDF format, you can view or print here.

Our dynamic application testing services can be used to test production and pre-production web applications ("Sites"), using a combination of automated testing and manual assessments performed by our Threat Research Center (TRC) engineers. Black Duck has multiple Continuous Dynamic service lines providing varying degrees of application coverage. A Site in this context is understood as:

One primary host name - This is the main domain associated with a site asset: for example, https://www.example.com.
Up to ten associated host names - These are usually subdomains that cannot be crawled from the primary host but are essential to the function of the site being assessed.

Continuous Dynamic Portal-Supported Browsers

The Continuous Dynamic Portal provides full, certified support for the Google Chrome and Mozilla Firefox browsers.

supported browsers updated

We test our products in the certified browsers and are committed to remediating defects identified during testing or reported by customers. Customers using non-supported browsers may experience incorrect functionality in some features. Black Duck encourages customers to use the supported browser versions, both for Portal functionality and for improved security.

Additional browsers may be supported on a case by case basis, depending on demonstrated business needs. For additional browsers, we will also identify and correct defects where a clear business case can be made for doing so. The same level of support guarantee offered with our Certified Supported browsers, cannot be offered for additional browsers. Some older browsers (e.g. IE11) will not be supported. For these browsers, we will not identify or remediate issues. The following is a summary of policies for certified browsers:

Certified browsers are fully supported on all supported operating systems.
Browser releases are evaluated quarterly and browser certifications for the Portal are updated accordingly.
Discontinued versions of certified browsers will no longer be supported.

Continuous Dynamic (DAST) Service Detail

Black Duck offers three levels of Continuous Dynamic DAST services, each of which has features that are uniquely appropriate for specific business needs:

Continuous Dynamic DAST Baseline Edition (BE)

Baseline Edition (BE) is a basic unconfigured scan, designed to assess web applications that do not contain forms, like brochure-ware. This is our core offering, including automated scanning and vulnerability verification, and is ideal for identifying your sites and determining the degree of protection that is appropriate for each. Continuous Dynamic BE includes identification of technical vulnerabilities, verification of vulnerabilities to eliminate false positives, access to the Black Duck Threat Research Center (TRC) for support, and unlimited retesting to ensure your remediation strategies are effective.

Overview Item	Details
Concierge Onboarding	The Black Duck Implementation Team will: Schedule a video welcome call to review all pertinent information and requirements for onboarding. Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s). Deliver "Welcome" documentation and review customer deliverables to ensure successful on-boarding and utilization.
Continuous Dynamic Portal User Interface	The Portal user interface offers 24/7 Dashboard access to all your vulnerability information, including: Flexible Reports Executive summary and unit level aggregation of data in flexible formats. Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities. Compliance reports (PCI) available at any time. Access to Black Duck Engineers The Ask-a-Question feature gives direct access to TRC engineers. Questions can be submitted and responses received via the Portal UI. If the Ask-a-Question feature is enabled, questions can also be asked through the Continuous Dynamic JIRA® plugins, allowing customers to integrate Continuous Dynamic information directly into their issue tracking software. (24 hour response.)
Access to Customer Support	Customer Support is available in the Black Duck Community, where customers can view their cases, submit cases, or access Continuous Dynamic documentation and tools. You can click here to email Customer Support.
Verified Vulnerabilities	When a scan discovers a potential vulnerability, the potential vulnerability is reviewed using more than 17 years of data intelligence and human verification. Only once we have verified that the vulnerability is real and actionable will it be posted to your Portal interface, eliminating false positive alerts. Automated retesting is available on demand.
Proof of Concept	Black Duck will provide a proof of concept for vulnerabilities.
PCI Compliance	Continuous Dynamic (PE, SE, and BE) services exceed requirements of the PCI DSS providing on-going verified vulnerability assessments for both public and internal websites.
Open JSON and XML JSON and API Integration	In addition to developing plugins that integrate vulnerability data with JIRA®, Black Duck offers a RESTful JSON and XML-based API that enables customers to create their own integrations with Continuous Dynamic and utilize its data in their own applications. Support for Continuous Dynamic includes our API documentation and training (see http://apidocs.whitehatsec.com).

Overview Item

Details

Concierge Onboarding

The Black Duck Implementation Team will:

Schedule a video welcome call to review all pertinent information and requirements for onboarding.
Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s).
Deliver "Welcome" documentation and review customer deliverables to ensure successful on-boarding and utilization.

Continuous Dynamic Portal User Interface

The Portal user interface offers 24/7 Dashboard access to all your vulnerability information, including:

Flexible Reports
- Executive summary and unit level aggregation of data in flexible formats.
- Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities.
- Compliance reports (PCI) available at any time.
Access to Black Duck Engineers

The Ask-a-Question feature gives direct access to TRC engineers. Questions can be submitted and responses received via the Portal UI. If the Ask-a-Question feature is enabled, questions can also be asked through the Continuous Dynamic JIRA® plugins, allowing customers to integrate Continuous Dynamic information directly into their issue tracking software. (24 hour response.)

Access to Customer Support

Customer Support is available in the Black Duck Community, where customers can view their cases, submit cases, or access Continuous Dynamic documentation and tools.

You can click here to email Customer Support.

Verified Vulnerabilities

When a scan discovers a potential vulnerability, the potential vulnerability is reviewed using more than 17 years of data intelligence and human verification. Only once we have verified that the vulnerability is real and actionable will it be posted to your Portal interface, eliminating false positive alerts. Automated retesting is available on demand.

Proof of Concept

Black Duck will provide a proof of concept for vulnerabilities.

PCI Compliance

Continuous Dynamic (PE, SE, and BE) services exceed requirements of the PCI DSS providing on-going verified vulnerability assessments for both public and internal websites.

Open JSON and XML JSON and API Integration

In addition to developing plugins that integrate vulnerability data with JIRA®, Black Duck offers a RESTful JSON and XML-based API that enables customers to create their own integrations with Continuous Dynamic and utilize its data in their own applications. Support for Continuous Dynamic includes our API documentation and training (see http://apidocs.whitehatsec.com).

Continuous Dynamic DAST Standard Edition (SE)

Standard Edition (SE) includes all the features described under Continuous Dynamic BE. In addition, Continuous Dynamic SE offers a configured scan, designed to provide assessment for permanent web applications that use forms or authentication but that do not require the in-depth business logic testing provided by Continuous Dynamic PE. Continuous Dynamic SE offers all the features of Continuous Dynamic BE, but also features the following:

Customized Authenticated Scanning TRC engineers will configure your site to scan with one set of login credentials. While Continuous Dynamic BE includes authenticated scanning, no configuration is performed. With Continuous Dynamic SE, our engineers will configure our scanner to authenticate itself to even the most complicated login processes. If there is an issue with our scanner authenticating itself to the application, our engineers will take action to remedy the issue.
Full Configuration and Form Training TRC engineers will configure the scanner to properly fill out any forms on the web application with valid inputs, as well as teach the scanner to avoid unsafe forms.
Faster Results from Parse Scans A Parse Scan will be run on your site. This provides actionable results for certain vulnerability tests as soon as your onboarded application begins scanning. For details of the included tests, see Vulnerability Tests in Parse Scans.

Vulnerabilities found in Parse Scans are reviewed and verified in the same way as those found in full Vulnerability scans. For more information, see What is the difference between a DAST Parse Scan and a Vulnerability scan?.

Continuous Dynamic DAST Premium Edition (PE)

Premium Edition (PE) includes all the features described under Continuous Dynamic BE and SE. In addition, Continuous Dynamic PE includes business logic testing by our TRC engineers, and is designed to assess more complex, high-priority, or mission-critical web applications, including those using multi-step, form-based processes and authentication and those that require both technical and business logic testing.

Annual Business Logic Testing In the annual Business Logic Testing, a team of security engineers will map out and test your web application’s business logic and workflows, paying particular attention to privileges between and across roles and users. This additional testing by our engineers ensures that your business-critical applications are being thoroughly assessed against any form of attack a malicious user may attempt. Vulnerabilities discovered during the business logic assessment are reported in the Portal interface with specific details:
- A custom description of the vulnerability and how it is exploitable.
- Steps to reproduce the vulnerability.
- The location of the vulnerability.
- Request and response details.
- A vulnerability score aligned with PCI and CVSS.
- Recommended solutions and best practice.

Vulnerability Tests in Parse Scans

For SE and PE levels only, a subset of tests for the following DAST vulnerability classes is run in a Parse Scan:

Abuse of Functionality
Application Code Execution
Application Misconfiguration
Autocomplete Attribute
Brute Force
Content Spoofing
Cross Site Request Forgery
Directory Indexing
Fingerprinting
Frameable Resource
HTTP Response Splitting
Improper Input Handling
Information Leakage
Insufficient Transport Layer Protection
Missing Secure Headers
Server Misconfiguration
SQL Injection
Vulnerable Library

Not all tests for the documented vulnerability classes are included in Parse Scans.

Continuous Dynamic DAST Limitations

This service does not cover:

APIs (Separate product)
Client-side apps (Thick Clients)
Windows/Mac native apps
Plugin apps
ActiveX Silverlight

Applications with heavy use of asynchronous POST requests cannot be fully scanned via automated testing. However, pairing with a business logic assessment (Continuous Dynamic PE) can mostly mitigate this issue. Applications with anti-automation functionality cannot be scanned:

Dynamic links (links cannot be reused)
WebSphere
Anti-automation tokens
Sites that enforce requests are sent in a certain order
Other anti-automation techniques

Applications that require non-HTTP communication to use/authenticate:

Physical token keys
Two-factor authentication apart from Time-based One-time Password (TOTP), SMS, or email. SMS for authentication is supported provided texts come from a long-form number, e.g. 555-555-5555, and not a short-form number, e.g. 555-5555.