Sentinel Mobile

If you prefer to read the entire Continuous Dynamic Service Definition section in PDF format, you can view or print here.

Our Mobile Application Security Testing involves a combination of both Dynamic Analysis (DAST) and Static Analysis (SAST) and a one-time manual assessment. Android or iOS mobile applications can be assessed like any other static code using Sentinel Source ; in addition, Black Duck can provide a premium assessment from our dedicated team of mobile security experts in the Threat Research Center.

For a premium mobile assessment, Black Duck will need to have access to both the source code and the compiled version of the application. The mobile team will examine the application and the application code for issues around the configuration settings, authentication/authorization, session management, anti-analysis, jailbreak/root detection, cryptography, data handling and storage, server-side controls, and secure coding best practices.

Sentinel Mobile Service Detail

Sentinel Mobile uses both Source and Dynamic testing to evaluate the security of your application both at the development level and in production. Manual Assessment is also available to customers using Sentinel Mobile.

Sentinel Mobile (Only)

  • Preservation of Intellectual Property Sentinel Source was designed to fit within the way organizations work. Therefore, Black Duck deploys a VM appliance at a customer’s site. No code is removed from the network. Because assessments are done on the premises and only small code snippets are available to Black Duck engineers for verification, source code will not leave the developer’s site—eliminating the possibility of IP loss or theft. (Note that a manual assessment of a mobile application will require a more complete code review, and therefore the Sentinel Source Mobile Manual Assessment is not included in this list.)

  • Flexible Assessment Scheduling Sentinel Source allows for a flexible assessment schedule. An assessment may be scheduled as soon as code is put into the repository, to gather immediate feedback; assessments may also be scheduled at a specific time every day, to reduce the risk that assessments will be delayed until the last minute. (Note that a manual assessment of a mobile application will require the intensive involvement of a Threat Research Engineer, and therefore the Sentinel Source Mobile Manual Assessment is not included in this list.)

Sentinel Mobile Manual Assessment (Only)

  • Annual Business Logic Testing In the annual Business Logic Testing, a team of security engineers will map out and test your web application’s business logic and workflows, paying particular attention to privileges between and across roles and users. This additional testing by our engineers ensures that your business-critical applications are being thoroughly assessed against any form of attack a malicious user may attempt. Vulnerabilities discovered during the business logic assessment are reported in the Continuous Dynamic Portal interface with specific details:

    • A custom description of the vulnerability and how it is exploitable

    • Steps to reproduce the vulnerability

    • The location of the vulnerability

    • Request and response details

    • A vulnerability score aligned with PCI and CVSS

    • Recommended solutions and best practice

Sentinel Mobile and Sentinel Mobile Manual Assessment

Feature Details

Concierge Onboarding

The Black Duck Implementation Team will:

  • Schedule a video welcome call to review all pertinent information and requirements for onboarding.

  • Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s).

  • Deliver “Welcome” documentation and review customer deliverables to ensure successful on-boarding and utilization.

Continuous Dynamic Portal User Interface

The Portal offers 24/7 Dashboard access to all your vulnerability information, including:

  • Flexible Reports

    • Executive summary and unit level aggregation of data in flexible formats.

    • Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities.

    • Compliance reports (PCI) available at any time.

  • Access to Black Duck Engineers

    The Ask-a-Question feature gives direct access to Black Duck Threat Research Center (TRC) engineers. Questions can be submitted and responses received via the Portal UI. If the Ask-a-Question feature is enabled, questions can also be asked through the Sentinel JIRA® plugins, allowing customers to integrate Continuous Dynamic information directly into their issue tracking software. (24 hour response.)

Access to Customer Support

Customer Support is available in the Black Duck Community, where customers can view their cases, submit cases, or access Continuous Dynamic documentation and tools.

You can also click here to email Customer Support.

Vulnerability Verification

When a Sentinel Source scan discovers a potential vulnerability, the potentially vulnerable code snippet is sent to our TRC engineers. Our engineers then personally verify that the vulnerability is real and actionable before posting it to your Portal interface, eliminating false positive alerts.

Code Coverage Review

Before Black Duck finalizes any assessment, we review the code coverage, complete operational checklists intended to ensure completeness, and perform business logic mapping.

Open JSON and XML JSON and API Integration

In addition to developing plugins that integrate vulnerability data with JIRA®, Black Duck offers a RESTful JSON and XML-based API that enables customers to create their own integrations with Continuous Dynamic and utilize its data in their own applications. Support for Continuous Dynamic includes our API documentation and training (see http://apidocs.whitehatsec.com).