WhiteHat Sentinel Source (SAST)

If you prefer to read the entire WhiteHat Service Definition section in PDF format, you can view or print here.

Synopsys offers three levels of WhiteHat SAST testing to cover all your security needs.

  • Sentinel Source Standard Edition (SE) is a full-service solution designed to incorporate security into your software development life cycle (SDLC). It enables you to assess your code as it is being developed and assists developers in identifying and remediating vulnerabilities before the code is pushed to production. As developers write code, containerize and upload it to a repository, Sentinel Source analyzes the code and identifies potential security vulnerabilities. Sentinel Source operates via our Sentinel Source engine housed on an installed VM image completely within your network. Any code snippets, including YAML configuration files, containing vulnerabilities identified by our automated Sentinel Source scanner are then sent to the Synopsys Threat Research Center (TRC) engineers to verify. Once verified, vulnerabilities are reported back to you either through the Sentinel Source user interface or directly into your bug-tracking system by integration with the Sentinel Source API.

  • Sentinel Source Essentials Edition (EE) provides raw SAST findings as soon as a scan is completed, without any TRC services such as scan review, vulnerability verification to weed out false positives, Directed Remediation, or Ask-a-Question. The EE service provides a lower cost SAST service for non-mission critical apps, assuming that you have the knowledge to self-verify any findings.

  • SCA - Essentials (SCA) rapidly and accurately identifies the third-party and open source components that have been integrated into your source applications. For each of these components, SCA identifies any open security common vulnerabilities and exposures (CVEs), licenses, and out-of-date library versions and age. SCA also creates a list of raw Unpatched Library findings, if any, for your source application as soon as a scan is complete. Applications onboarded using this service level will be limited to a maximum of 3M lines of code.

    This lower cost development tool does not include static analysis (SAST) or the following Synopsys TRC services: Scan Review, Vulnerability Verification, Ask-a-Question, and Directed Remediation. SCA is suitable for non-mission-critical apps and for customers who have the competence to self verify these raw findings.

Each service level has features that make it uniquely appropriate for specific business needs.

Sentinel SCA Essentials Edition (SCA)

SCA is a standalone software composition analysis automated security testing service that rapidly and accurately identifies the third-party and open source components used in your source applications. For each of these components, SCA identifies:

  • Any open security common vulnerabilities and exposures (CVEs)

  • Licenses

  • Out-of-date library versions and age

SCA also creates a list of raw Unpatched Library findings, if any, for your source application as soon as a scan is complete. Applications onboarded using this service level will be limited to a maximum of 3M lines of code.

This lower cost development service does not include static analysis (SAST) or the following Synopsys TRC services: Scan Review, Vulnerability Verification,Ask-a-Question, and Directed Remediation. SCA is suitable for non-mission-critical apps and for customers who have the competence to self-verify these raw findings. The SCA service is included at no additional charge in Sentinel Source Standard Edition (SE) and Sentinel Source Essentials Edition (EE). Once you’ve purchased a license, you can add an SCA asset by going to the Assets Management page and selecting Add Application (SCA) from the Add Assets dropdown menu. For EE, select Add Application, and select Essentials Edition (EE) under service level.

SCA provides unverified findings that are identified by a gray V icon next to the Vulnerability ID, to differentiate them from verified findings, identified by a green V icon. These findings can be filtered by Verification Status on the Findings pages. If you determine that any of these unverified findings are false positives, you can mark them as Invalid by going to the Findings page, selecting them, and selecting Change Vulnerability Status from the Bulk Actions dropdown menu. SCA results for all your SAST and SCA applications are now available under a new Components tab, instead of under the Summary Dashboard.

Sentinel Source Essentials Edition (EE)

Essentials Edition (EE) is a new service level in Sentinel Source to provide raw SAST findings as soon as a scan is completed, without any TRC services such as scan review, vulnerability verification to weed out false positives, Directed Remediation, or Ask-a-Question. The EE service provides a lower cost SAST service for non-mission-critical apps, assuming that you have the knowledge to self-verify any findings.

You can now select the EE service level when adding a new asset. As before, license availability is checked and consumed when a Full Scan is requested. The selected service level will be displayed on the Asset Details page and unverified findings will be displayed on the Findings page with ability to filter them from other verified vulnerabilities. Finally, the Admin Account Overview page will show the license usage service level in addition to license type.

Sentinel Source Standard Edition (SE)

WhiteHat Source SE is the full-service way to evaluate the security of your code as it is being developed.

Sentinel Source (SAST) Overview

Feature Details

Concierge Onboarding

The Synopsys Implementation Team will:

  • Schedule a Webex welcome call to review all pertinent information and requirements for onboarding.

  • Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s).

  • Deliver 'Welcome' documentation and review customer deliverables to ensure a successful onboarding and utilization.

Flexible Reports:

  • Executive summary and unit level aggregation of data in flexible formats.

  • Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities.

  • Compliance reports (PCI) available at any time.

Access to Synopsys Engineers:

The Ask-a-Question feature gives direct access to Synopsys Threat Research Center (TRC) engineers. Questions can be submitted and responses received via the WhiteHat Portal UI. If the Ask-a-Question feature is enabled, questions can also be asked through the Sentinel JIRA® plugins, allowing customers to integrate WhiteHat information directly into their issue tracking software. (24 hour response.)

Access to Customer Support

Customer Support is available via the Synopsys Software Integrity Community at https://community.synopsys.com/s/, where customers can view their cases, submit cases, or access WhiteHat Dynamic documentation and tools.

Customer Support is also available Monday to Friday between 12:00 a.m. and 7:00 p.m. Pacific time at 408-343-8340, or click here to email Customer Support.

Vulnerability Verification

When a Sentinel Source scan discovers a potential vulnerability, the potentially vulnerable code snippet is sent to our TRC engineers. Our engineers then personally verify that the vulnerability is real and actionable before posting it to your WhiteHat Portal interface, eliminating false positive alerts.

Code Coverage Review

Before Synopsys finalizes any assessment, we review the code coverage, complete operational checklists intended to ensure completeness, and perform business logic mapping.

Open XML and JSON API Integration

In addition to developing plugins that integrate WhiteHat data with JIRA®, Synopsys offers a RESTful JSON XML-based WhiteHat API that enables customers to create their own integrations with the WhiteHat Portal and utilize its data in their own applications. Support for Sentinel Source includes our API documentation and training (see http://apidocs.whitehatsec.com).

Intellectual Property Preservation

Sentinel Source was designed to fit within the way organizations work. Therefore, Synopsys deploys a VM appliance at a customer’s site. No code is removed from the network. Because assessments are done on the premises and only small code snippets are available to Synopsys engineers for verification, source code will not leave the developer’s site—eliminating the possibility of IP loss or theft. (Note that a manual assessment of a mobile application will require a more complete code review, and therefore the Sentinel Source Mobile Manual Assessment is not included in this list.)

Flexible Assessment Scheduling

Sentinel Source allows for a flexible assessment schedule. An assessment may be scheduled as soon as code is put into the repository, to gather immediate feedback; assessments may also be scheduled at a specific time every day, to reduce the risk that assessments will be delayed until the last minute. (Note that a manual assessment of a mobile application will require the intensive involvement of a Threat Research Engineer, and therefore the Sentinel Source Mobile Manual Assessment is not included in this list.)

Proof of Concept

For code vulnerabilities discovered via Sentinel Source, Synopsys will provide proof of concept for the vulnerability.