Continuous Dynamic Service Detail

Each service level has features that make it uniquely appropriate for specific business needs.

Continuous Dynamic BE

On-boarding Sentinel BE
The Sentinel UI (including reporting and Ask-a-Question)
Customer Support
Verified Vulnerabilities
Proof of Concept
PCI Compliance
Sentinel API Integration

Concierge On-boarding

The Black Duck Implementation Team will:

Schedule a video welcome call to review all pertinent information and requirements for on- boarding.
Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s).
Deliver “Welcome” documentation and review customer deliverables to ensure successful on-boarding and utilization.

The Portal

The Continuous Dynamic Portal offers 24/7 Dashboard access to all your vulnerability information, including:

Flexible Reports

Executive summary and unit level aggregation of data in flexible formats.
Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities.
Compliance reports (PCI) available at any time.

Access to Black Duck Engineers

The Ask-a-Question feature gives direct access to Black Duck Threat Research Center (TRC) engineers. Questions can be submitted and responses received via the Continuous Dynamic Portal UI or via any of the plugins available to allow customers to integrate Continuous Dynamic information directly into their IDE or SDLC tools. (24 hour response)

Access to Customer Support via Internet, Email, and Phone

Customer Support is available in the Black Duck Community, where customers can view their cases, submit cases, or access Continuous Dynamic Documentation and Tools.

Customer Support is also available by email at support@whitehatsec.com.

Vulnerability Verification

Any time Sentinel finds a vulnerability, it flags the page and attack vector and sends a notification the TRC. Using a combination of 18+ years of data intelligence and human verification it is confirmed the vulnerability is true and actionable before posting it.

Vulnerabilities are grouped by the URL on which they are discovered, and then into the various vulnerability classes found within the Web Application Security Consortium V2 (WASC v2). The various methods to exploit discovered vulnerabilities are categorized by vulnerability parameters known as “attack vectors”.

Proof of Concept

Black Duck will provide a proof of concept for vulnerabilities.

PCI Compliance

Continuous Dynamic (PE, SE, and BE) services exceed requirements of the PCI DSS providing on-going verified vulnerability assessments for both public and internal websites.

Open JSON and XML JSON and API Integration

In addition to developing plugins that integrate Sentinel data with common SDLC tools such as Jenkins and JIRA®, Black Duck offers a RESTful JSON and XML-based Continuous Dynamic API that enables customers to create their own integrations with Sentinel and utilize Sentinel data in their own applications. Support for Continuous Dynamic includes our API documentation and training (see https://apidocs.whitehatsec.com).

Continuous Dynamic SE

Continuous Dynamic SE offers all the features of Continuous Dynamic BE.

In addition, Continuous Dynamic SE features:

Customized Authenticated Scanning
Full Configuration and Form Training

Customized Authenticated Scanning

Black Duck TRC engineers will configure your site to scan with one set of login credentials. While Continuous Dynamic BE includes authenticated scanning, no configuration is performed. With Continuous Dynamic SE, our engineers will configure our scanner to authenticate itself to even the most complicated login processes. If there is an issue with our scanner authenticating itself to the application, our engineers will take action to remedy the issue.

Full Configuration and Form Training

Black Duck TRC engineers will configure the scanner to properly fill out any forms on the web application with valid inputs, as well as teach the scanner to avoid unsafe forms.

Continuous Dynamic PE

Continuous Dynamic PE offers all the features of Continuous Dynamic BE and SE as well as annual business logic testing.

Annual Business Logic Testing

In the annual Business Logic Testing, a team of security engineers will map out and test your web application’s business logic and workflows, paying particular attention to privileges between and across roles and users. This additional testing by our engineers ensures that your business-critical applications are being thoroughly assessed against any form of attack a malicious user may attempt. Vulnerabilities discovered during the business logic assessment are reported in the Portal interface with specific details:

A custom description of the vulnerability and how it is exploitable
Steps to reproduce the vulnerability
The location of the vulnerability
Request and response details
A vulnerability score aligned with PCI and CVSS
Recommended solutions and best practice