Sentinel Source Service Detail

Black Duck offers three levels of WhiteHat SAST services. Each service level has features that make it uniquely appropriate for specific business needs.

Sentinel SCA Essentials Edition (SCA)

SCA is a standalone software composition analysis automated security testing service that rapidly and accurately identifies the third-party and open source components used in your source applications.

For each of these components, SCA identifies:

  • Any open security common vulnerabilities and exposures (CVEs)

  • Licenses

  • Out-of-date library versions and age

SCA also creates a list of raw Unpatched Library findings, if any, for your source application as soon as a scan is complete. Applications onboarded using this service level will be limited to a maximum of 3M lines of code.

This lower cost development service does not include static analysis (SAST) or the following Black Duck TRC services: Scan Review, Vulnerability Verification, Ask-a-Question, and Directed Remediation. SCA is suitable for non-mission-critical apps and for customers who have the competence to self-verify these raw findings.

The SCA service is included at no additional charge in Sentinel Source Standard Edition (SE) and Sentinel Source Essentials Edition (EE).

Once you’ve purchased a license, you can add an SCA asset by going to the Assets Management page and selecting Add Application (SCA) from the Add Assets dropdown menu. For EE, select Add Application, and select Essentials Edition (EE) under service level.

SCA provides unverified findings that are identified by a gray V icon next to the Vulnerability ID, to differentiate them from verified findings, identified by a green V icon. These findings can be filtered by Verification Status on the Findings pages. If you determine that any of these unverified findings are false positives, you can mark them as Invalid by going to the Findings page, selecting them, and selecting Change Vulnerability Status from the Bulk Actions dropdown menu.

SCA results for all your SAST and SCA applications are now available under a new Components tab, instead of under the Summary Dashboard.

Sentinel Source Essentials Edition (EE)

Essentials Edition (EE) is a new service level in Sentinel Source to provide raw SAST findings as soon as a scan is completed, without any TRC services such as scan review, vulnerability verification to weed out false positives, Directed Remediation, or Ask-a-Question. The EE service provides a lower cost SAST service for non-mission-critical apps, assuming that you have the knowledge to self-verify any findings.

You can now select the EE service level when adding a new asset. As before, license availability is checked and consumed when a Full Scan is requested. The selected service level will be displayed on the Asset Details page and unverified findings will be displayed on the Findings page with ability to filter them from other verified vulnerabilities. Finally, the Admin Account Overview page will show the license usage service level in addition to license type.

Sentinel Source Standard Edition (SE)

WhiteHat Source SE is the full-service way to evaluate the security of your code as it is being developed.

Concierge Onboarding

The Black Duck Implementation Team will:

  • Schedule a Webex welcome call to review all pertinent information and requirements for onboarding.

  • Review all onboarding logistics (e.g. account set-up, purchase review) and verify and validate site specification(s).

  • Deliver “Welcome” documentation and review customer deliverables to ensure a successful onboarding and utilization.

The Continuous Dynamic Portal User Interface

The Continuous Dynamic Portal offers 24/7 Dashboard access to all your vulnerability information, including:

Flexible Reports

  • Executive summary and unit level aggregation of data in flexible formats.

  • Trend monitoring, including remediation rate, time to fix vulnerabilities, and age of vulnerabilities.

  • Compliance reports (PCI) available at any time.

Access to Black Duck Engineers

The Ask-a-Question feature gives direct access to Black Duck Threat Research Center (TRC) engineers. Questions can be submitted and responses received via the Portal UI or via any of the plugins available to allow customers to integrate Continuous Dynamic information directly into their IDE or SDLC services. (24 hour response)

Access to Customer Support via Internet, Email, and Phone

Customer Support is available in the Black Duck Community, where customers can view their cases, submit cases, or access Continuous Dynamic Documentation and Tools.

Customer Support is also available by email at support@whitehatsec.com.

Vulnerability Verification

When a Sentinel Source scan discovers a potential vulnerability, the potentially vulnerable code snippet (including YAML configuration files) is sent to our TRC engineers. Our engineers then personally verify that the vulnerability is real and actionable before posting it to your Portal interface, eliminating false positive alerts.

Code Coverage Review

Before Black Duck finalizes any assessment, we review the code coverage, complete operational checklists intended to ensure completeness, and perform business logic mapping.

Open XML and JSON API Integration

In addition to developing plugins that integrate Sentinel data with common SDLC/IDE services, Black Duck offers a RESTful JSON XML-based Continuous Dynamic API that enables customers to create their own integrations with Sentinel and utilize Sentinel data in their own applications. Support for Sentinel Source includes our API documentation and training (see https://apidocs.whitehatsec.com).

Preservation of Intellectual Property

Sentinel Source was designed to fit within the way organizations work. Therefore, Black Duck deploys a VM appliance at a customer’s site. No code is removed from the network. Because assessments are done on the premises and only small code snippets (including YAML configuration files) are available to Black Duck engineers for verification, source code will not leave the developer’s site, eliminating the possibility of IP loss or theft. (Note that a manual assessment of a mobile application will require a more complete code review, and therefore the Sentinel Source Mobile Manual Assessment is not included in this list.)

Flexible Assessment Scheduling

Sentinel Source allows for a flexible assessment schedule. An assessment may be scheduled as soon as code is containerized and put into the repository to gather immediate feedback; assessments may also be scheduled at a specific time every day, to reduce the risk that assessments will be delayed until the last minute. (Note that a manual assessment of a mobile application will require the intensive involvement of a Threat Research Engineer, and therefore the Sentinel Source Mobile Manual Assessment is not included in this list.)

Proof of Concept

For code vulnerabilities discovered via Sentinel Source, Black Duck will provide proof of concept for the vulnerability.