Production Safety

If you prefer to read the entire Continuous Dynamic Service Definition section in PDF format, you can view or print here.

Continuous Dynamic services have been designed from the very beginning to be extremely safe for production web applications. Our maxim at Black Duck is "Do no harm" or, put more casually, we like to ask "Is this important?" before running a scan, rather than asking "Was that important?" afterward. By default, Continuous Dynamic operates "production-safe." This means that Continuous Dynamic only performs tests that will not permanently change the state of the system. So, you can be confident that we will safely scan your production business websites during business or high-traffic hours. To make sure we maintain little to no impact on your application, we’ll need you to let us know if any of the following exists on your application:

  • State-changing functionality performed via GET request

  • Areas of the application or specific functionality you’d like us to refrain from testing

Key Features

In addition, we have implemented three key features that are unique to Continuous Dynamic that ensure that our testing remains completely safe for your production websites.

  1. Customized Configuration

    The Black Duck Threat Research Center (TRC) manually reviews your web application and customizes Continuous Dynamic testing for safety and thoroughness. Every input, state changing request (POST request), or sensitive functionality is carefully analyzed by a human TRC engineer. Our engineers check this functionality first for safety, then for depth and coverage.

    This is especially applicable to administrative level functionality—things like create/delete users or groups. This kind of functionality is deemed unsafe to test in an automated fashion and Continuous Dynamic will be configured not to place these sensitive requests. Instead, a security engineer can check this functionality by hand in order to ensure little to no impact on the application. Examples of functionality that are commonly deemed unsafe:

    • Creation and deletion of users or data

    • Contact us features that involve sending email

    • Updating/Editing Profile or account data

    • Leaving comments or forum posts (Submit functionality)

      When an input or area of functionality is deemed safe for automated testing, a security engineer configures Continuous Dynamic to submit valid data in order to get further into the application.

      Customized Configuration Example: A website has a "create user" page that requires a valid address and email address in order to successfully complete. A security engineer recognizes that these inputs are required and trains Continuous Dynamic to submit valid information in order to get through this page. This action is repeated as long as the submitted request is deemed safe until the functionality is thoroughly covered. As part of the configuration process, TRC engineers also examine every link discovered by Continuous Dynamic to ensure overall coverage and to streamline the automated assessment for safe and efficient scanning.

  2. Non-Invasive Testing

    Many scanners bombard your site with hundreds or thousands of simultaneous requests, running the risk of negatively affecting or even bringing down the site being tested. Instead, Continuous Dynamic uses single-threaded requests during the automated portion of the web application assessment; much like a real user, Continuous Dynamic sends a request to your website and waits for a response before submitting the next request. In addition, by default Continuous Dynamic will place a maximum of four requests per second for a given set of credentials. (You can control this cap from the Continuous Dynamic Portal interface.) This approach ensures that your production sites never receive an unexpected heavy load of requests coming from our scanner.

  3. Continuous Dynamic Will Not Execute Live Code

    By leveraging customized testing methodology unique to Continuous Dynamic in combination with our TRC’s vulnerability verification process, Continuous Dynamic is able to detect vulnerabilities safely without executing live code on your web application. You are guaranteed that Continuous Dynamic will never execute live code in an automated fashion on your website. This greatly reduces the chance of negatively impacting the application.

Tracking Our Assessment Activities

As well as these production safety measures, we also provide clients with two easy methods of tracking all assessment activity:

Custom Watermark A "Black Duck Software" user agent header is added to all requests that originate from Continuous Dynamic. This allows you to create filters to monitor our activity, or to exclude certain alerts or warnings.

Sample watermark:

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Black_Duck_Software

For sites onboarded before October 25, 2024, the user agent header will contain the string WhiteHat Security and not Black_Duck_Software (the old header will not be changed retroactively).

If there is a specific watermark you would like us to use, let us know and we can customize the user agent header to include it.

IP Address Allow List

All Continuous Dynamic scans or manual work will come from one of our IP addresses or IP address ranges. Which IP addresses should you add to your allow list?

  • Non-EU Customers: If your company does not reside in the EU and you are not restricting access to US Black Duck employees, allowlist all IPs within this column.

  • EU Customers: If your company resides in the EU, allowlist all IPs within this column.

    Non-EU Customers EU Customers

    • 104.45.216.22

    • 162.223.124.0/27

    • 3.72.175.49

    • 3.76.244.88

    • 18.194.206.33

    • 54.93.186.146

    • 54.229.46.147

    • 148.253.176.50

    • 194.46.129.108