Sentinel Source (SAST)
If you prefer to read the entire Continuous Dynamic Service Definition section in PDF format, you can view or print here. |
Continuous Dynamic offers three levels of SAST testing to cover all your security needs.
-
Sentinel Source Standard Edition (SE) is a full-service solution designed to incorporate security into your software development life cycle (SDLC). It enables you to assess your code as it is being developed and assists developers in identifying and remediating vulnerabilities before the code is pushed to production. As developers write code, containerize and upload it to a repository, Sentinel Source analyzes the code and identifies potential security vulnerabilities. Sentinel Source operates via our Sentinel Source engine housed on an installed VM image completely within your network. Any code snippets, including YAML configuration files, containing vulnerabilities identified by our automated Sentinel Source scanner are then sent to the Black Duck Threat Research Center (TRC) engineers to verify. Once verified, vulnerabilities are reported back to you either through the Sentinel Source user interface or directly into your bug-tracking system by integration with the Sentinel Source API.
-
Sentinel Source Essentials Edition (EE) provides raw SAST findings as soon as a scan is completed, without any TRC services such as scan review, vulnerability verification to weed out false positives, Directed Remediation, or Ask-a-Question. The EE service provides a lower cost SAST service for non-mission critical apps, assuming that you have the knowledge to self-verify any findings.
-
SCA - Essentials (SCA) rapidly and accurately identifies the third-party and open source components that have been integrated into your source applications. For each of these components, SCA identifies any open security common vulnerabilities and exposures (CVEs), licenses, and out-of-date library versions and age. SCA also creates a list of raw Unpatched Library findings, if any, for your source application as soon as a scan is complete. Applications onboarded using this service level will be limited to a maximum of 3M lines of code.
This lower cost development tool does not include static analysis (SAST) or the following TRC services: Scan Review, Vulnerability Verification, Ask-a-Question, and Directed Remediation. SCA is suitable for non-mission-critical apps and for customers who have the competence to self verify these raw findings.
Each service level has features that make it uniquely appropriate for specific business needs.
Sentinel SCA Essentials Edition (SCA)
SCA is a standalone software composition analysis automated security testing service that rapidly and accurately identifies the third-party and open source components used in your source applications. For each of these components, SCA identifies:
-
Any open security common vulnerabilities and exposures (CVEs)
-
Licenses
-
Out-of-date library versions and age
SCA also creates a list of raw Unpatched Library findings, if any, for your source application as soon as a scan is complete. Applications onboarded using this service level will be limited to a maximum of 3M lines of code.
This lower cost development service does not include static analysis (SAST) or the following TRC services: Scan Review, Vulnerability Verification,Ask-a-Question, and Directed Remediation. SCA is suitable for non-mission-critical apps and for customers who have the competence to self-verify these raw findings. The SCA service is included at no additional charge in Sentinel Source Standard Edition (SE) and Sentinel Source Essentials Edition (EE). Once you’ve purchased a license, you can add an SCA asset by going to the Assets Management page and selecting Add Application (SCA) from the Add Assets dropdown menu. For EE, select Add Application, and select Essentials Edition (EE) under service level.
SCA provides unverified findings that are identified by a gray V icon next to the Vulnerability ID, to differentiate them from verified findings, identified by a green V icon. These findings can be filtered by Verification Status on the Findings pages. If you determine that any of these unverified findings are false positives, you can mark them as Invalid by going to the Findings page, selecting them, and selecting Change Vulnerability Status from the Bulk Actions dropdown menu. SCA results for all your SAST and SCA applications are now available under a new Components tab, instead of under the Summary Dashboard.
Sentinel Source Essentials Edition (EE)
Essentials Edition (EE) is a new service level in Sentinel Source to provide raw SAST findings as soon as a scan is completed, without any TRC services such as scan review, vulnerability verification to weed out false positives, Directed Remediation, or Ask-a-Question. The EE service provides a lower cost SAST service for non-mission-critical apps, assuming that you have the knowledge to self-verify any findings.
You can now select the EE service level when adding a new asset. As before, license availability is checked and consumed when a Full Scan is requested. The selected service level will be displayed on the Asset Details page and unverified findings will be displayed on the Findings page with ability to filter them from other verified vulnerabilities. Finally, the Admin Account Overview page will show the license usage service level in addition to license type.
Sentinel Source Standard Edition (SE)
Sentinel Source SE is the full-service way to evaluate the security of your code as it is being developed.
Sentinel Source (SAST) Overview
Feature | Details |
---|---|
Concierge Onboarding |
The Black Duck Implementation Team will:
|
Flexible Reports: |
|
Access to Black Duck Engineers: |
The Ask-a-Question feature gives direct access to TRC engineers. Questions can be submitted and responses received via the Continuous Dynamic Portal UI. If the Ask-a-Question feature is enabled, questions can also be asked through the Sentinel JIRA® plugins, allowing customers to integrate WhiteHat information directly into their issue tracking software. (24 hour response.) |
Access to Customer Support |
Customer Support is available in the Black Duck Community, where customers can view their cases, submit cases, or access Continuous Dynamic documentation and tools. You can also click here to email Customer Support. |
Vulnerability Verification |
When a Sentinel Source scan discovers a potential vulnerability, the potentially vulnerable code snippet is sent to our TRC engineers. Our engineers then personally verify that the vulnerability is real and actionable before posting it to your Portal interface, eliminating false positive alerts. |
Code Coverage Review |
Before Black Duck finalizes any assessment, we review the code coverage, complete operational checklists intended to ensure completeness, and perform business logic mapping. |
Open XML and JSON API Integration |
In addition to developing plugins that integrate WhiteHat data with JIRA®, Black Duck offers a RESTful JSON XML-based Continuous Dynamic API that enables customers to create their own integrations with the Portal and utilize its data in their own applications. Support for Sentinel Source includes our API documentation and training (see http://apidocs.whitehatsec.com). |
Intellectual Property Preservation |
Sentinel Source was designed to fit within the way organizations work. Therefore, Black Duck deploys a VM appliance at a customer’s site. No code is removed from the network. Because assessments are done on the premises and only small code snippets are available to Black Duck engineers for verification, source code will not leave the developer’s site—eliminating the possibility of IP loss or theft. (Note that a manual assessment of a mobile application will require a more complete code review, and therefore the Sentinel Source Mobile Manual Assessment is not included in this list.) |
Flexible Assessment Scheduling |
Sentinel Source allows for a flexible assessment schedule. An assessment may be scheduled as soon as code is put into the repository, to gather immediate feedback; assessments may also be scheduled at a specific time every day, to reduce the risk that assessments will be delayed until the last minute. (Note that a manual assessment of a mobile application will require the intensive involvement of a Threat Research Engineer, and therefore the Sentinel Source Mobile Manual Assessment is not included in this list.) |
Proof of Concept |
For code vulnerabilities discovered via Sentinel Source, Black Duck will provide proof of concept for the vulnerability. |