Onboarding FAQ

General

  1. What does a "Site" asset refer to ?
    This refers to an asset applicable to WhiteHat Sentinel Dynamic testing (DAST).

  2. What does an "Application" asset refer to ?
    This refers to an asset applicable to WhiteHat Sentinel Source static testing (SAST).

  3. What is the difference between the dynamic service levels ?

    • Sentinel Dynamic BE - The Basic (BE) service level is ideal for site discovery and for static sites.

    • Sentinel Dynamic SE - The Standard (SE) service level is appropriate for permanent websites that use forms and logins but, are not necessarily mission-critical for your business.

    • Sentinel Dynamic PE - The Premium (PE) service level is appropriate for complex mission-critical sites. It includes all the testing involved in the Standard service level, with the addition of business logic and multi-step form testing. PE is particularly appropriate for sites with rigorous compliance requirements and/or complex interactions.

  4. Are there video tutorials available for Sentinel fundamentals ?
    Video tutorials for Sentinel are available from here: Video Tutorials.

Setup times

  1. What permissions are necessary for onboarding ?
    Permissions need to be enabled on the backend for an account to complete the onboarding process. If you need help with these permissions reach out to the support team or, if you’re not the primary contact for the account, have the primary contact reach out on your behalf.

  2. What is the average time between initial setup and full scan results for DAST ?
    Currently the average time between configuration and full scan results for PE and SE DAST testing is two weeks.

  3. What is the average time between initial vulnerability assessment scan results for SAST ?
    Currently we aim for initial assessment of vulnerabilities to be completed in ten days for SAST: SE. Vulnerabilities found in subsequent scans should be reviewed within one or two business days.

  4. What is the average time between initial vulnerability assessment scan results for mobile SE (MAST) ?
    Currently the average time for mobile SE takes three days after initial configurations. On average it can take two weeks for both iOS and Android assets.

DAST

  1. What is the difference between DAST Parse Scan and vulnerability scan ?
    All DAST assessments start with a Parse Scan before moving to Vulnerability scans by default. The Parse Scan is a faster scan that is recommended for the initial assessment phase, during which TRC will verify your credentials once received and configure the site for authenticated scanning. TRC then manually adds entry points and tests any forms on the site, adding them to the scan if production safe, which results in proper site coverage. For Vulnerability Scans, within 24 business hours of the first vulnerability scan completing, you should have any scanner found vulnerabilities present in the Findings tab in Sentinel. Vulnerability scans can be enabled at any time during the initial assessment if required, but this will result in getting full results being obtained more slowly.

  2. What could cause delays to my assessment timeline ?
    Potential delays to the assessment timeline can be caused by:

    • Not using a continuous scan schedule

    • Slow server response times

    • Site size

    • Access issues

    • Ignoring any open support cases from the TRC

  3. Can I enable vulnerability scans during initial assessment ?
    Users can enable vulnerability scans during initial assessments, however following our normal processes will provide scan results faster overall. If you require vulnerability scans to be enabled sooner than our normal recommended process, you should contact support.

  4. If my site is external, do I need to set up a virtual machine (VM) for DAST testing ?
    No, if the site is external, then no VM is necessary.

  5. If my site is internal, do I need to set up a VM for DAST testing ?
    Not necessarily, if whitelisting IP addresses will allow WhiteHat access to your site.

  6. If my site is internal and only available on our internal network, do I need to set up a VM ?
    Yes, in this case a VM is necessary.

Base URL

  1. Do I need to provide a file path when onboarding the Base URL?
    The Base URL needs to give a 200 OK response or similar, if that means including the filepath for the Base URL, the user will need to include it.

  2. Do I need to put a URL rule in place ?
    If you require us to only scan from a certain file path and not from the base URL, you will need to put a URL rule in place. If not, our scanner always tries to scan from the base domain.

  3. Can I swap URL once onboarding has started ?
    No, unless you have a Swap license you cannot swap the URL once onboarding has started.

  4. Can I make changes to my site’s server port numbers after onboarding ?
    No, if you want to change server port numbers you have to re-onboard that asset.

  5. Is the scanning production safe ?
    Yes, Sentinel has been designed to be extremely safe for production. You can read more about Production Safety here.

  6. What is automatic form training ?
    Automatic form training is a more aggressive scanning method whereby the scanner will inject on any and all forms it comes across, regardless of production safety. This method of scanning should only be done on pre-production environments. You must request and give us express permission on a per asset basis to enable automatic form training. This must be done by the main point of contact fo the account.

Associated hostnames AHNs

  1. What are the requirements for adding an AHN ?
    The requirements for adding an AHN are as follows:

    • Logging into one login portal with the same set of credentials must allow a user to reach authenticated content on both the base domain and any AHN.

    • If the same session does not allow access to a proposed AHN, it must be considered a separate site for the purposes of licensing and assessment (i.e. a new license is required). A common example would be the login functionality being hosted on a different subdomain, such as: secure.example.com, but the main content of the application being www.example.com. It would still be possible to configure the scan to authenticate to www.example.com since we would only be requesting the resource found on secure.example.com for authentication purposes, but the login functionality itself and any other resources found on secure.example.com would be excluded from the assessment if not requested as an AHN.

    • An AHN or domain must be determined to be a Necessary Hostname if it seems to be a part of the main site and vital to how the main site functions. Requests must be made to it as a natural consequence of authenticating to or browsing the main site.

  2. Can I list a Single Sign On (SSO) site as an AHN ?
    Not usually. Single Sign On (SSO) sites usually do not meet the “Necessary Hostname” requirement as stated.

Credentials

  1. What credentials do I need to provide for DAST scanning ?
    You must provide two sets of unique credentials of the highest user level that you want us to scan with.

  2. Are additional credentials needed for Business Logic Assessments (BLA) ?
    Yes, two additional sets of unique credentials for PE/BLA of the highest user level that you want us to test with.

  3. Can I scan unauthenticated ?
    Yes, you can disable credentials from the Scan tab in Sentinel. You can also disable BLA credentials from the Services tab, find out more here.

  4. What if my site uses Captcha ?
    If your site uses Captcha it will need to either be disabled, which can be done via whitelisting our IP addresses, or by providing a static token that will always work to bypass the Captcha.

  5. Do you have the ability to self provision credentials ?
    Yes, if your site has a registration function, we can self-register credentials instead of provisioning them yourself. You can add a note to the Additional Notes section when onboarding if you’d like us to do this for you.

  6. What if my site uses two factor authentication ?
    If your site uses 2FA, we do support Email and SMS authentications, or a static SMS token can be provided as a solution. Please note that the non-static SMS option requires an additional fee.

BLAs

  1. Do I have to schedule BLAs myself ?
    Yes, you must schedule the BLA yourself, as they operate on a "use it or lose it basis".

  2. Will the BLA test more than one set of credentials ?
    The BLA will only test one set of credentials fully. Privilege level tests can be done on two other sets of credentials, i.e. a second admin level for horizontal testing, and one lower user level for vertical testing. By default we fully test the highest privilege level provided unless otherwise specified.

  3. What happens if my BLA has been put on hold before the BLA has started?
    If a BLA gets put on hold, you must respond to any support cases and stay in communication with us for the resolution of any issues. If not, the BLA will be cancelled and you will have to reschedule it.

  4. What happens if I don’t respond to my case if my BLA is put on hold after the BLA has started?
    If you do not respond within two weeks for minor issues like credentials, or four weeks for major issues like the site is inaccessible or missing functionality, the BLA will be closed and marked complete. The BLA then cannot be reopened on this BLA license.

  5. Does the current state of my site matter ?
    Our manual assessors will need to know if the site contains live data and if they have permission to test it.

  6. Do I have to provide dummy data for testing ?
    If dummy data will not work for testing forms, you must provide us with examples of information that will work e.g. employee ID. You can attach this via the Notes or Attachments in the Services tab in Sentinel.

Virtual Machine Scanning

  1. What are the requirements for VM Scanning ?
    The installation and system requirements can be found here

  2. If I’m using a DAST VM, do I need to have DNS resolution set up on my appliance ?
    We recommend that you have DNS set up. If you do not have DNS set up, you will need to provide the site’s internal IP address.

  3. How many VM’s will I need for SAST ?
    If your licensing totals more than five million LOC, you will likely be required to set up additional VMs.

Cloud Scanning

  1. Can I use Cloud Scanning instead of a VM ?
    Yes, cloud scanning can be used if you don’t want to host a VM.

  2. Can I schedule a regular cloud scans ?
    No, with cloud scanning you cannot schedule a regular scan.

SAST

  1. Do I have to separate my application into smaller assets ?
    Potentially, depending on how you have your application set up, each asset should represent a single version of an application that runs in a single environment, on a single host. For example, the front end should be a separate asset from the backend.

  2. What is the difference between Pre Scan and Full Scan ?
    Pre Scan is a parse-only scan to check that we can access the site, ensure that you are within your license allotted LOC, and to check for missing dependencies. Pre Scan does not identify vulnerabilities or consume any WhiteHat licenses. Full Scan is a deep scan that identifies vulnerabilities which are then confirmed by WhiteHat TRC. Full Scan requires and consumes an appropriate license.

  3. How can I tell if I’m getting full coverage ?
    You can use an LOC count or Extensions Scanned for a quick reference, or check the File Coverage section for a more in-depth coverage report.

  4. For SAST scanning, what happens if a vulnerability is raised that I have a fix for in a different part of my code ?
    You may get a false positive as a result of WhiteHat Security not having access to all of your code. If you have a remediation for a vulnerability located in a different part of your code, you can simply use the Ask a Question feature to explain this to us, so that we can review and close the vulnerability.

Mobile

  1. What are the requirements for Mobile onboarding ?
    More information on Sentinel Mobile onboarding can be found here. A video tutorial for onboarding mobile assets can be found here.

  2. Does Mobile BLA require me to set up Secure File Transfer Protocol (SFTP) ?
    Yes, you must upload both the Mobile Onboarding form and the binary to SFTP. When you are ready, WhiteHat Security will provide SFTP credentials for you to use.

API SE

  1. Can I enable posts and puts to be scanned ?
    Yes, but these are not production safe.

  2. What if my API has POSTs and PUTs enabled ?
    These requests are not production safe.

  3. Are custom login configurations available for APIs ?
    No, custom login configurations are not supported, although custom headers can be added.

  4. Why is my POST request not working for the login configuration ?
    You may need to use a GET request instead.

API BLA

  1. How many operations can I test with one API BLA license ?
    Each license that you have represents one operation that WhiteHat Security can test; i.e. if you have 10 API BLA licenses, WhiteHat Security can test 10 operations.

  2. Do I have to provide any API documentation ?
    Documentation is required from you about your API. It must contain:

    • All of the endpoint URLs

    • All known parameters and values associated with each parameter

    • Any credentials or tokens required for authentication

    • Working examples in a full HTTP request form

    • Documentation for usage of the API

  3. Can I schedule the BLA after I have sent the API documentation ?
    After the documentation is sent to the Service Engineer (SE) via a case to review, they confirm that it has the expected number of operations and everything we need for the assessment, we will onboard the site for the client.

Support

  1. How do I access the Customer Support Portal ?
    Log in to the Customer Support Portal here.

  2. How do I create a support case?
    You can either email support@whitehatsec.com, which automatically creates a case, or login to the Community Portal and create a case there. Please note that if you email support instead, please wait until we respond before emailing again so that we can attach a reference number to the email. This enables all further communication to be logged under the same case. Otherwise, each email would create a separate support case. Also, please note that a new support case should be used for each unique topic.

  3. What if I’d like to request a call with the support team?
    If your question requires a subject matter expert (i.e. a vulnerability question), we require a minimum of 48 hours advanced notice (the longer the notice given, the better). When making the request for the call, please provide questions and/or as much detail as possible.

  4. How do I contact the support team?
    You can log in to the Community Portal and contact them by creating or responding to a case. If you do not have Community Portal access you can email support@whitehatsec.com. You can also call (408) 343-8340.