WhiteHat Sentinel Mobile

If you prefer to read the entire WhiteHat Service Definition section in PDF format, you can view or print here.

Our Mobile Application Security Testing involves a combination of both Dynamic Analysis (DAST) and Static Analysis (SAST) and a one-time manual assessment. Android or iOS mobile applications can be assessed like any other static code using Sentinel Source ; in addition, Synopsys can provide a premium assessment from our dedicated team of mobile security experts in the Threat Research Center.

For a premium mobile assessment, Synopsys will need to have access to both the source code and the compiled version of the application. The mobile team will examine the application and the application code for issues around the configuration settings, authentication/authorization, session management, anti-analysis, jailbreak/root detection, cryptography, data handling and storage, server-side controls, and secure coding best practices.

WhiteHat Sentinel Mobile Service Detail

WhiteHat Sentinel Mobile uses both Source and Dynamic testing to evaluate the security of your application both at the development level and in production. Manual Assessment is also available to customers using Sentinel Mobile.

Sentinel Mobile (Only)

  • Preservation of Intellectual Property Sentinel Source was designed to fit within the way organizations work. Therefore, Synopsys deploys a VM appliance at a customer’s site. No code is removed from the network. Because assessments are done on the premises and only small code snippets are available to Synopsys engineers for verification, source code will not leave the developer’s site—eliminating the possibility of IP loss or theft. (Note that a manual assessment of a mobile application will require a more complete code review, and therefore the Sentinel Source Mobile Manual Assessment is not included in this list.)

  • Flexible Assessment Scheduling Sentinel Source allows for a flexible assessment schedule. An assessment may be scheduled as soon as code is put into the repository, to gather immediate feedback; assessments may also be scheduled at a specific time every day, to reduce the risk that assessments will be delayed until the last minute. (Note that a manual assessment of a mobile application will require the intensive involvement of a Threat Research Engineer, and therefore the Sentinel Source Mobile Manual Assessment is not included in this list.)

Sentinel Mobile Manual Assessment (Only)

  • Annual Business Logic Testing In the annual Business Logic Testing, a team of security engineers will map out and test your web application’s business logic and workflows, paying particular attention to privileges between and across roles and users. This additional testing by our engineers ensures that your business-critical applications are being thoroughly assessed against any form of attack a malicious user may attempt. Vulnerabilities discovered during the business logic assessment are reported in the WhiteHat Portal interface with specific details:

    • A custom description of the vulnerability and how it is exploitable

    • Steps to reproduce the vulnerability

    • The location of the vulnerability

    • Request and response details

    • A vulnerability score aligned with PCI and CVSS

    • Recommended solutions and best practice

Sentinel Mobile and Sentinel Mobile Manual Assessment

Feature Details

Concierge Onboarding

The Synopsys Implementation Team will:

  • Schedule a video welcome call to review all pertinent information and requirements for onboarding.

  • Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s).

  • Deliver “Welcome” documentation and review customer deliverables to ensure successful on-boarding and utilization.

WhiteHat Portal User Interface

The WhiteHat Portal offers 24/7 Dashboard access to all your vulnerability information, including:

  • Flexible Reports

    • Executive summary and unit level aggregation of data in flexible formats.

    • Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities.

    • Compliance reports (PCI) available at any time.

  • Access to Synopsys Engineers

    The Ask-a-Question feature gives direct access to Synopsys Threat Research Center (TRC) engineers. Questions can be submitted and responses received via the WhiteHat Portal UI. If the Ask-a-Question feature is enabled, questions can also be asked through the Sentinel JIRA® plugins, allowing customers to integrate WhiteHat information directly into their issue tracking software. (24 hour response.)

Access to Customer Support

Customer Support is available via the Synopsys Software Integrity Community at https://community.synopsys.com/s/, where customers can view their cases, submit cases, or access WhiteHat Dynamic documentation and tools.

You can also click here to email Customer Support.

Vulnerability Verification

When a Sentinel Source scan discovers a potential vulnerability, the potentially vulnerable code snippet is sent to our TRC engineers. Our engineers then personally verify that the vulnerability is real and actionable before posting it to your WhiteHat Portal interface, eliminating false positive alerts.

Code Coverage Review

Before Synopsys finalizes any assessment, we review the code coverage, complete operational checklists intended to ensure completeness, and perform business logic mapping.

Open JSON and XML JSON and API Integration

In addition to developing plugins that integrate WhiteHat data with JIRA®, Synopsys offers a RESTful JSON and XML-based WhiteHat API that enables customers to create their own integrations with the WhiteHat Portal and utilize its data in their own applications. Support for WhiteHat Dynamic includes our API documentation and training (see http://apidocs.whitehatsec.com).