Using the WhiteHat Visual Studio Plugin

Launch Visual Studio.

From the Tools pulldown menu, select WhiteHat Sentinel IDE.

vsu1

Logging In

Standard Authentication Process

In the plugin window, enter your API Key (preferred) or your Sentinel username and password, and click Login:

vsu2

Obtaining Your Sentinel API Key

To obtain your Sentinel API key, you must log into Sentinel and select My Profile in the upper-right corner. Select the API Key tab, enter your password, and then click Authenticate. After you authenticate successfully, you will see your API key. Copy the API key to your clipboard and paste it into the API Key field when logging into the WhiteHat Sentinel Plugin for Visual Studio, as described in the previous section.

api key

Reviewing Your Vulnerabilities

Select the application you want to review from the drop-down list and click on the filter icon (filter ).

vsu3

From here you can search for vulnerabilities by Vuln ID, Vuln Status, Rating, or date opened; enter your filter parameters and click on the filter icon (filter).

Double-click on a specific Vuln ID in the list to see trace IDs and the associated code snippets for that vulnerability. (Double-clicking any vulnerability on the Manage Vulnerabilities tab navigates the user to the Debug Vulnerabilities tab.)

vsu4

Click on the caret next to the Vuln ID to see the Attack Vector IDs, and click on the caret next to the Attack Vector ID to see the Attack Vector Types, Source Code Locations, etc.

Click on a specific attack vector type to see the associated code snippet; double-click to bring up that code in your environment.

If no source code snippet is displayed, click Specify Source Folder and browse until the correct file is displayed. Double-click the file name.

vsu5

If the plugin cannot locate the correct string in your current code, it will look for the method.

vsu6

If the method has changed and can’t be identified, you will see an error:

vsu7

In addition to the code snippet, the WhiteHat Plugin will show you a general description and solution for the vulnerability, allow you to ask WhiteHat Security Engineers a question and see their response, or view directed remediation advice.

Select the tab to see the information.

Description

The "Description" tab will offer a description of the vulnerability class in question, as in the example below:

intelli j desc

Solution

The "Solution" tab will offer an approach to resolving the vulnerability class in question, as in the example below:

intelli j sol

Directed Remediation

The "Directed Remediation" tab will offer one or more suggested changes to the code that will remediate the vulnerability in question, as shown below:

suggested change

Note: The Directed Remediation tab only appears for C# applications.

You may base your code changes on the examples given, or copy and paste the code directly, or download the code as a patch using the "Download Patch" link.

Note: If you download the patch or copy and paste the code, you may also need to download the dependencies (there is a "Download Dependencies" link next to "Download Patch"). Unless the dependencies are downloaded and installed, the new code may not compile correctly. This link will take you to a zipped file in WhiteHat’s Customer Portal, which you will need to download and install (the file name will be similar to "remediation.security-api-1.0-SNAPSHOT.jar.zip").

Ask a Question

In addition, the Q&A tab offers the opportunity to ask questions about this vulnerability and receive answers directly from WhiteHat Security Threat Research Engineers.

qanda

If questions or answers already exist for this vulnerability, you will see them in the list on the Q&A tab.

Clicking on "Ask a Question" will bring up a dialogue box that will allow you to enter a question about this vulnerability and receive answers directly from WhiteHat Security Threat Research Engineers, as shown below:

ask a question2

Enter your question and click on "Submit."

If a question has already been asked or answered, it will appear in the list.