WhiteHat Sentinel Mobile

If you prefer to read the entire WhiteHat Service Definition section in PDF format, you can view or print here.

Our Mobile Application Security Testing involves a combination of both Dynamic Analysis (DAST) and Static Analysis (SAST) and a one-time manual assessment. Android or iOS mobile applications can be assessed like any other static code using Sentinel Source ; in addition, WhiteHat can provide a premium assessment from our dedicated team of mobile security experts in the Threat Research Center.

For a premium mobile assessment, WhiteHat will need to have access to both the source code and the compiled version of the application. The mobile team will examine the application and the application code for issues around the configuration settings, authentication/authorization, session management, anti-analysis, jailbreak/root detection, cryptography, data handling and storage, server-side controls, and secure coding best practices.

WhiteHat Sentinel Mobile Service Detail

WhiteHat Sentinel Mobile uses both Source and Dynamic testing to evaluate the security of your application both at the development level and in production. Manual Assessment is also available to customers using Sentinel Mobile.

Sentinel Mobile (Only)

  • Preservation of Intellectual Property Sentinel Source was designed to fit within the way organizations work. Therefore, WhiteHat deploys a VM appliance at a customer’s site. No code is removed from the network. Because assessments are done on the premises and only small code snippets are available to WhiteHat engineers for verification, source code will not leave the developer’s site—eliminating the possibility of IP loss or theft. (Note that a manual assessment of a mobile application will require a more complete code review, and therefore the Sentinel Source Mobile Manual Assessment is not included in this list.)

  • Flexible Assessment Scheduling Sentinel Source allows for a flexible assessment schedule. An assessment may be scheduled as soon as code is put into the repository, to gather immediate feedback; assessments may also be scheduled at a specific time every day, to reduce the risk that assessments will be delayed until the last minute. (Note that a manual assessment of a mobile application will require the intensive involvement of a Threat Research Engineer, and therefore the Sentinel Source Mobile Manual Assessment is not included in this list.)

Sentinel Mobile Manual Assessment (Only)

  • Annual Business Logic Testing In the annual Business Logic Testing, a team of security engineers will map out and test your web application’s business logic and workflows, paying particular attention to privileges between and across roles and users. This additional testing by our engineers ensures that your business-critical applications are being thoroughly assessed against any form of attack a malicious user may attempt. Vulnerabilities discovered during the business logic assessment are reported in the Sentinel Interface with specific details:

    • A custom description of the vulnerability and how it is exploitable

    • Steps to reproduce the vulnerability

    • The location of the vulnerability

    • Request and response details

    • A vulnerability score aligned with PCI and CVSS

    • Recommended solutions and best practice

Sentinel Mobile and Sentinel Mobile Manual Assessment

Feature Details

Concierge Onboarding

The WhiteHat Implementation Team will:

  • Schedule a video welcome call to review all pertinent information and requirements for onboarding.

  • Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s).

  • Deliver “Welcome” documentation and review customer deliverables to ensure successful on-boarding and utilization.

Sentinel User Interface

The Sentinel user interface offers 24/7 Dashboard access to all your vulnerability information, including:

  • Flexible Reports

    • Executive summary and unit level aggregation of data in flexible formats.

    • Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities.

    • Compliance reports (PCI) available at any time.

  • Access to WhiteHat Engineers

    The Ask-a-Question feature gives direct access to WhiteHat Security Threat Research Center (TRC) engineers. Questions can be submitted and responses received via the Sentinel UI or via any of the plugins available to allow customers to integrate Sentinel information directly into their IDE or SDLC tools. (24 hour response)

Access to Customer Support

Customer Support is available via the Customer Portal at https://whitehatsec.secure.force.com, where customers can view their cases, submit cases, or access WhiteHat documentation and tools.

Customer Support is also available Monday to Friday between 12:00 a.m. and 7:00 p.m. Pacific time at 408-343-8340, or click here to email Customer Support.

Vulnerability Verification

When a Sentinel Source scan discovers a potential vulnerability, the potentially vulnerable code snippet is sent to our TRC engineers. Our engineers then personally verify that the vulnerability is real and actionable before posting it to your Sentinel interface, eliminating false positive alerts.

Code Coverage Review

Before WhiteHat Security finalizes any assessment, we review the code coverage, complete operational checklists intended to ensure completeness, and perform business logic mapping.

Open JSON and XML JSON and API Integration

In addition to developing plugins that integrate Sentinel data with common SDLC tools such as Jenkins and JIRA®, WhiteHat Security offers a RESTful JSON and XML-based API that enables customers to create their own integrations with Sentinel and utilize Sentinel data in their own applications. Support for Sentinel Dynamic includes our API documentation and training (see http://apidocs.whitehatsec.com).