The WhiteHat Portal Menu - Assets

From the Assets tab in the WhiteHat Portal you can review your assets and their status, add assets, or update asset information by asset or in bulk. Possible actions include setting the asset phase, asset status, asset tags, or scan schedule. For information on managing sites, applications, or APIs specifically, refer to Managing Your Sites, Managing Your Applications, Managing Your Mobile Applications, or Managing Your APIs.

service level

For each asset listed, you will see any setup issues ("Needs Schedule," "Needs Codebase," "Codebase unreachable," "Needs Scanning Credentials," "1 of 1 Scanning Credentials Invalid," etc.). If you click on the issue shown, a popup will launch that will allow you to remediate whatever the issue is.

The Asset Management tab will also show you the scan status, asset status, phase, and type, scan schedule, and service level. The final column will give the total open vulnerabilities for this asset.

Additional actions or further information are also available by:

  • Using the Bulk Actions button

  • Clicking on the Vulnerability Count Link in the last column

  • Using the Quick Actions buttons under each asset name

Bulk Actions Button

You can act on multiple selected assets using the "Bulk Actions" button: select multiple assets, either manually or by using the filter and clicking the "select all" checkbox, and then choose the action you want to take. You can set the asset status, phase, tags, or schedule using the Bulk Actions button.

select all circles

Click on the box next to "Name" to select all assets shown:

select all checked

Under the Bulk Actions button, select Asset Phase, Asset Status, Asset Tags, or Scan Schedule.

bulk actions

Vulnerability Count Link

The rightmost column of the Asset Management page lists the number of vulnerabilities currently open for that asset. If you click on the number, you will see the Asset Vulnerabilities broken down by rating:
asset vuln count popup
If you click on the "See Details" link, you will see a list of the vulnerabilities by vuln ID.
vulns by vuln id

Quick Actions

Under each asset listed, you will see the Quick Actions links.

quick actions

These links will allow you to:

  • View asset details (quick view):
    Asset details include the primary and associated hostnames, any asset groups the asset is part of, the start and end dates of the last completed scan and links found, and the start date of the current scan and links found to date if any.

  • View or add asset tags (quick tag):
    Asset tags may be up to 25 characters, and can include only letters, numbers, the full stop (".") and underscore.

  • Export vulnerability reports for the asset as csv, pdf, or xml files (quick report):
    Reports will include vulnerability ID, status, rating, retest status, last retest, date opened, date closed, vuln class, asset name, service level, and any vuln tags.

Note that exported reports will be saved to your default download location.

Filtering Your Asset List

You can filter this page using the "Filter" button to the right side of the screen:

asset management filter

You can filter by any or all of the following:

  • Asset Name (full or partial)

  • Asset Type

  • Service Level (PE, SE, and BE, or Source)

  • Asset URL or URI (full or any part)

  • Assets with particular Scan Setup Issues (whether related to the codebase, credentials, or configuration)

  • Asset Tags (full or partial)

  • Asset Owner (by email/UID)

  • Asset Status (active, inactive, or all)

  • Asset Type (application, site, or all)

  • Custom Asset ID (a customer-defined field of up to 20 characters)

  • WhiteHat Asset ID (one or more pre-existing, Synopsys-determined Asset IDs)

  • Scan Status

  • Schedule

  • Schedule Time Zone (all assets with scan schedules set to the chosen time zone)

  • Client (if a multi-client customer)

  • Group (a group of assets including sites, applications, or both)

  • Vulnerability Rating (assets with one or more vulnerabilities at a particular rating)

Sites are those production or pre-production sites with web applications to be assessed by Sentinel. Applications are code bases or binaries, and may or may not yet be in production or pre-production. Applications are assessed by Sentinel Source.

Sites and Applications taken together are Assets.

From here you can select specific assets and edit the asset phase, status, or tags, set schedules, add a new asset (application or site), or export asset information as a .csv file.

Understanding the Asset Table

The Asset Management page will show the Asset Name, Scan Setup Status, Scan Status, Asset Status, Asset Phase (if any), a findings summary for each asset, the asset assessment schedule, asset type, and service level.

Where a site is an active web site in production or pre-production, scanned dynamically, an application is code (or a binary file) in a repository or an archive that Sentinel Source will assess for vulnerabilities. An Application is defined by a name, a language, and a code base - either a code repository or an archive. For more information, please see Managing Your Sites or Managing Your Applications.

Column Label Explanation

Name

This is the name of the asset in question. If you click on the "i" icon, you will see a popup that includes asset information, including any groups of which that asset is a member.

Scan Setup Issues

Assessments cannot be performed appropriately without scan setup information; "Scan Setup Issues" will identify which if any issues are present, including codebase absent or unreachable, credentials absent or invalid, or satellite configuration incomplete. Click on the issue link to go to a screen that will allow you to edit the asset information as required.

Scan Status

The status of your asset scan may be any of "Scan Running," "Stopped," "Paused for Schedule," "Scanning w/o Credentials," "WHS Updating Configuration," or "Completed".

Scan Running

indicates that the scan is currently in progress.

Stopped

indicates that the scan has run into a problem or issue and is currently suspended.

Paused for Schedule

indicates that the scan was not complete when the end of a scheduled scan period was reached, and will resume as soon as your schedule allows.

Scanning w/o Credentials

indicates that a scan is in progress, but that scanning is being performed without access credentials.

WHS Updating Configuration

Synopsys is updating the asset scan configuration.

Complete

indicates that the asset in question has completed its current scan.

Asset Status

The Asset Status will be "Active" or "Inactive" as set by the customer.

Asset Phase

The Asset Phase is a customer-set indicator of the asset’s point in the SDLC — Production, pre-production, QA, etc.

Asset Type

Application (code base) or Site (hostname).

Schedule

The Schedule column indicates the type of schedule that has been set for this asset — Continuous, Nights and Weekends (6pm to 8am), or Nights (6pm to 8am) and Weekends (24-hours). (Custom schedules can also be set by Synopsys' Customer Success team.)

Service Level

The Service Level contracted for this asset — Sentinel BE, SE, or PE, or PL-E for WhiteHat Dynamic, or Sentinel SE, EE, or SCA for Sentinel Source.

Client

Customers who are set up as multi-client will also see a column here showing the client to which this asset belongs.

Findings

The findings column shows you a total for the open vulnerabilities that have been identified for that asset; clicking on the number will show you a breakdown of the open vulnerabilities by rating (Critical, High, Medium, Low, or Note). For additional information, click on the "See Details" link in the upper right corner of the popup screen. This will bring up a list of the vulnerabilities by vuln ID.

For specific information on managing Sites, Applications, Mobile Applications, or APIs, please see the relevant sections of this document.

<div class="videoblock"> <div class="content"> <iframe width="100%" height="500" src="https://player.vimeo.com/video/741990010" frameborder="0" allowfullscreen></iframe> </div> </div>