Onboarding FAQ

General

  1. What does a "Site" asset refer to?
    This refers to an asset tested by WhiteHat Dynamic (DAST).

  2. What does an "Application" asset refer to?
    This refers to an asset tested by Sentinel Source (SAST).

  3. What is the difference between the dynamic service levels?

    • WhiteHat Dynamic BE - The Basic (BE) service level is ideal for site discovery and for static sites.

    • WhiteHat Dynamic SE - The Standard (SE) service level is appropriate for permanent websites that use forms and logins but, are not necessarily mission-critical for your business.

    • WhiteHat Dynamic PE - The Premium (PE) service level is appropriate for complex mission-critical sites. It includes all the testing involved in the Standard service level, with the addition of business logic and multi-step form testing. PE is particularly appropriate for sites with rigorous compliance requirements and/or complex interactions.

  4. Are video tutorials available for the fundamentals of the WhiteHat Portal?
    Video tutorials for the Portal are available here: Video Tutorials.

Setup times

  1. What permissions are necessary for onboarding?
    Permissions need to be enabled on the backend for an account to complete the onboarding process. If you need help with these permissions reach out to the support team or, if you’re not the primary contact for the account, have the primary contact reach out on your behalf.

  2. What is the average time between initial setup and full scan results for DAST?
    Currently, the average length of time between initial asset configuration and the receipt of full scan results for PE and SE DAST testing is 3-5 business days. This depends on all necessary information being provided: an accessible site, valid site credentials, and a defined scan schedule. The average time is also affected by the size of the site.

  3. What is the average time between initial vulnerability assessment scan results for SAST?
    Currently we aim for initial assessment of vulnerabilities to be completed in ten days for SAST: SE. Vulnerabilities found in subsequent scans should be reviewed within one or two business days.

  4. What is the average time between initial vulnerability assessment scan results for mobile SE (MAST)?
    Currently the average time for mobile SE takes three days after initial configurations. On average it can take two weeks for both iOS and Android assets.

DAST

  1. What is the difference between a DAST Parse-Only scan and a Vulnerability scan?
    For WhiteHat DAST SE and PE licenses only, all DAST assessments start with an initial Parse-Only scan before moving to a full Vulnerability scan. The Parse-Only scan provides actionable results for certain vulnerability tests as soon as your onboarded application begins scanning, with results posted near instantly on the Findings tab. For details of the included tests, see Vulnerability Tests in Parse-Only Scans. Be aware that not all tests for the documented vulnerability classes are included in Parse-Only scans.

    The Parse-Only Scan is part of the initial assessment phase, during which the TRC will:

    • Verify your credentials (once received).

    • Configure the site for authenticated scanning.

    • Add entry points.

    • Test any forms on the site, adding them to the scan if production safe, which results in proper site coverage.

      For WhiteHat DAST BE licenses, all DAST assessments start with a Vulnerability scan. Within 24 business hours of the first Vulnerability scan completing, you should see scanner-found vulnerabilities in the Findings tab in the Portal. Vulnerability scans can be enabled at any time during the initial assessment if required, but this will result in full results being obtained more slowly.

  2. What could cause delays to my assessment timeline?
    Potential delays to the assessment timeline can be caused by:

    • Not using a continuous scan schedule

    • Slow server response times

    • Site size

    • Access issues

    • Ignoring any open support cases from the TRC

  3. Can I enable vulnerability scans during initial assessment?
    Users can enable vulnerability scans during initial assessments, however following our normal processes will provide scan results faster overall. If you require vulnerability scans to be enabled sooner than our normal recommended process, you should contact support.

  4. If my site is external, do I need to set up a virtual machine (VM) for DAST testing?
    No, if the site is external, then no VM is necessary.

  5. If my site is internal, do I need to set up a VM for DAST testing?
    Not necessarily, adding Synopsys' IP addresses to an allow list will provide us with access to your site.

  6. If my site is internal and only available on our internal network, do I need to set up a VM?
    Yes, in this case a VM is necessary.

Base URL

  1. Do I need to provide a file path when onboarding the Base URL?
    The Base URL needs to give a 200 OK response or similar, if that means including the filepath for the Base URL, the user will need to include it.

  2. Do I need to put a URL rule in place?
    If you require us to only scan from a certain file path and not from the base URL, you will need to put a URL rule in place. If not, our scanner always tries to scan from the base domain.

  3. Can I swap URL once onboarding has started?
    No, unless you have a Swap license you cannot swap the URL once onboarding has started.

  4. Can I make changes to my site’s server port numbers after onboarding?
    No, if you want to change server port numbers you have to re-onboard that asset.

  5. Is the scanning production safe?
    Yes, WhiteHat Dynamic has been designed to be extremely safe for production. You can read more about Production Safety here.

Associated hostnames (AHNs)

  1. What are the requirements for adding an AHN?
    The requirements for adding an AHN are as follows:

    • Logging into one login portal with the same set of credentials must allow a user to reach authenticated content on both the base domain and any AHN.

    • If the same session does not allow access to a proposed AHN, it must be considered a separate site for the purposes of licensing and assessment (i.e., a new license is required). A common example would be the login functionality being hosted on a different subdomain, such as: secure.example.com, but the main content of the application being www.example.com. It would still be possible to configure the scan to authenticate to www.example.com since we would only be requesting the resource found on secure.example.com for authentication purposes, but the login functionality itself and any other resources found on secure.example.com would be excluded from the assessment if not requested as an AHN.

    • An AHN or domain must be determined to be a Necessary Hostname if it seems to be a part of the main site and vital to how the main site functions. Requests must be made to it as a natural consequence of authenticating to or browsing the main site.

  2. Can I list a Single Sign On (SSO) site as an AHN?
    Not usually. Single Sign On (SSO) sites usually do not meet the “Necessary Hostname” requirement as stated.

  3. How many AHNs can I add to the scope of a license?
    Ten, we cannot make exceptions for more. If more are needed, you must purchase an additional license.

Credentials

  1. What credentials do I need to provide for DAST scanning?
    You must provide two sets of unique credentials of the highest user level that you want us to scan with.

  2. Are additional credentials needed for Business Logic Assessments (BLA)?
    Yes, two additional sets of unique credentials for PE/BLA of the highest user level that you want us to test with.

  3. Can I scan unauthenticated?
    Yes, you can disable credentials from the Scan tab in the Portal. You can also disable BLA credentials from the Services tab, find out more here.

  4. What if my site uses Captcha?
    If your site uses Captcha it will need to either be disabled, which can be done via adding our IP addresses to an allow list, or by providing a static token that will always work to bypass the Captcha.

  5. Do you have the ability to self provision credentials?
    Yes, if your site has a registration function, we can self-register credentials instead of provisioning them yourself. You can add a note to the Additional Notes section when onboarding if you’d like us to do this for you.

  6. What if my site uses two-factor or multi-factor authentication?
    If your site uses 2FA, we support Email and SMS authentications, or a static SMS token can be provided as a solution. Please note that the non-static SMS option requires an additional fee. The email address you must use for email authentication is provided on request through support.

    We also support sites that implement Multi-Factor Authentication (MFA) using a time-based one-time password (TOTP) token generated in an authenticator app, such as Google Authenticator or Duo Mobile. For more information, see Setting up Time-based One-time Password (TOTP) MFA.

  7. Can you scan more than one user level per license?
    No, during a contract we can only scan a single user level. Additional user level scanning would require the purchase of additional licences.

  8. Can I use the same credentials between sites?
    We highly recommend using completely unique credentials between sites. If not, depending on how your system is configured, it may result in credential lockouts and other issues.

BLAs

  1. Do I have to schedule BLAs myself?
    Yes, you must schedule the BLA yourself, as they operate on a "use it or lose it basis".

  2. Will the BLA test more than one set of credentials?
    The BLA will only test one set of credentials fully. Privilege level tests can be done on two other sets of credentials, i.e. a second admin level for horizontal testing, and one lower user level for vertical testing. By default, we fully test the highest privilege level provided unless otherwise specified.

  3. What happens if my BLA has been put on hold before the BLA has started?
    If a BLA gets put on hold, you must respond to any support cases and stay in communication with us for the resolution of any issues. If not, the BLA will be canceled and you will have to reschedule it.

  4. What happens if I don’t respond to my case if my BLA is put on hold after the BLA has started?
    If you do not respond within two weeks for minor issues like credentials, or four weeks for major issues like the site is inaccessible or missing functionality, the BLA will be closed and marked complete. The BLA then cannot be reopened on this BLA license.

  5. Does the current state of my site matter?
    Our manual assessors will need to know if the site contains live data and if they have permission to test it.

  6. Do I have to provide dummy data for testing?
    If dummy data will not work for testing forms, you must provide us with examples of information that will work e.g. employee ID. You can attach this via the Notes or Attachments in the Services tab in the Portal.

Virtual Machine Scanning

  1. What are the requirements for VM Scanning?
    The installation and system requirements can be found here.

  2. If I’m using a DAST VM, do I need to have DNS resolution set up on my appliance?
    We recommend that you have DNS set up. If you do not have DNS set up, you will need to provide the site’s internal IP address.

  3. How many VM’s will I need for SAST?
    If your licensing totals more than five million LOC, you will likely be required to set up additional VMs.

Cloud Scanning

  1. Can I use Cloud Scanning instead of a VM?
    Yes, cloud scanning can be used if you don’t want to host a VM.

  2. Can I schedule a regular cloud scan?
    No, with cloud scanning you cannot schedule a regular scan.

SAST

  1. Do I have to separate my application into smaller assets?
    Potentially, depending on how you have your application set up, each asset should represent a single version of an application that runs in a single environment, on a single host. For example, the front end should be a separate asset from the backend.

  2. What is the difference between Pre Scan and Full Scan?
    Pre Scan is a parse-only scan to check that we can access the site, ensure that you are within your license allotted LOC, and to check for missing dependencies. Pre Scan does not identify vulnerabilities or consume any WhiteHat licenses. Full Scan is a deep scan that identifies vulnerabilities which are then confirmed by Synopsys TRC. Full Scan requires and consumes an appropriate license.

  3. How can I tell if I’m getting full coverage?
    You can use an LOC count or Extensions Scanned for a quick reference, or check the File Coverage section for a more in-depth coverage report.

  4. For SAST scanning, what happens if a vulnerability is raised that I have a fix for in a different part of my code?
    You may get a false positive as a result of Synopsys not having access to all of your code. If you have a remediation for a vulnerability located in a different part of your code, you can simply use the Ask a Question feature to explain this to us, so that we can review and close the vulnerability.

Mobile

  1. What are the requirements for Mobile onboarding?
    More information on Sentinel Mobile onboarding can be found here. A video tutorial for onboarding mobile assets can be found here.

  2. Does Mobile BLA require me to set up Secure File Transfer Protocol (SFTP)?
    Yes, you must upload both the Mobile Onboarding form and the binary to SFTP. When you are ready, Synopsys will provide SFTP credentials for you to use.

API SE (AutoAPI)

  1. Can I enable POSTs and PUTs to be scanned?
    Yes, but these are not production safe.

  2. What if my API has POSTs and PUTs enabled?
    These requests are not production safe.

  3. Are custom login configurations available for APIs?
    No, custom login configurations are not supported, although custom headers can be added.

  4. Why is my POST request not working for the login configuration?
    You may need to use a GET request instead.

API BLA

  1. How many operations can I test with one API BLA license?
    Each license that you have represents one operation that Synopsys can test, i.e. if you have 10 API BLA licenses, Synopsys can test 10 operations.

  2. Do I have to provide any API documentation?
    Documentation is required from you about your API. It must contain:

    • All of the endpoint URLs

    • All known parameters and values associated with each parameter

    • Any credentials or tokens required for authentication

    • Working examples in a full HTTP request form

    • Documentation for usage of the API

  3. Do I need to provide the documentation in a specific format?
    Yes, provide the documentation in Postman-compatible or SoapUI-compatible collections. If it does not come in one of the following formats, the assessment could potentially take significantly longer to complete.

    • Postman-compatible documentation in JSON or YAML format:

      • Open API 3.0 specifications

      • Swagger 2.0 specifications

      • Postman Collection v2.1

    • SoapUI compatible documentation:

      • WSDL format (file or URL)

      • REST API in XML format

      • SoapUI projects

  4. Can I schedule the BLA after I have sent the API documentation?
    Once the documentation is sent to the Sales Engineer (SE) via a case to review, they confirm that it has the expected number of operations and everything needed for the assessment is present, after that we will onboard the site and schedule the BLA on your behalf.

Findings

  1. What is the difference between automatic and manual retesting?
    The difference between automatic and manual retesting is that automatic retesting is denoted by a computer icon on the Findings tab and can be retested automatically within 30 minutes. Manual retesting is denoted by a person icon on the Findings tab and needs to be retested by a person which requires up to 24 business hours.

  2. I’m having trouble reproducing a finding. What might be wrong?
    If you’re having trouble duplicating a finding, make sure you’re using the data from the Vulnerability Detail page’s Description and Solution section. If a proof of concept (POC) is provided, make use of it. Also, ensure that you’re accessing your site with the same configurations as Synopsys, otherwise you may get a different result. If you’re still having problems, please use the Ask a Question feature to contact our customer support team. Please do not use this for retest requests as you can simply click the Retest button on the Findings tab or the Vulnerability Detail page.

  3. Can I see what request and response your scanner saw when testing a finding?
    Yes, you can view the vector details by clicking the Vector ID on the Vulnerability Detail page. The Vector Detail page displays both the manipulated request sent, and the vulnerable response received.

Support

  1. How do I access the Customer Support Portal ?
    Log in to the Synopsys Software Integrity Community.

  2. How do I create a support case?
    We prefer if you use the Synopsys Software Integrity Community to create cases. You can either log in to the Community and create a case, or email support@whitehatsec.com, which will automatically create a case. Note that if you email support, please wait until we respond before emailing again so that we can attach a reference number to the email. This enables all further communication to be logged under the same case. Otherwise, each email would create a separate support case. Also, please note that a new support case should be used for each unique topic.

  3. What if I’d like to request a call with the support team?
    If your question requires a subject matter expert, i.e. a vulnerability question, we require a minimum of 48 hours advanced notice, the longer the notice given, the better. When making the request for the call, please provide questions and/or as much detail as possible.

  4. How do I contact the support team?
    Log in to the Synopsys Software Integrity Community and contact Support by creating or responding to a case. If you do not have Community access you can email support@whitehatsec.com.