Continuous Dynamic Testing Methodology

Continuous Dynamic offers vulnerability assessments for web applications in production or pre-production. The Continuous Dynamic scanner tests the application based on logical conditions established by the Threat Research Center; it discovers vulnerable behavior rather than being restricted to specific known issues. As new attacks are discovered, the TRC augments this testing to ensure that they are also detected, and those tests are created and updated on a daily basis.

The Threat Research Center will monitor and configure the scanner to ensure that the scanner can find every page, log in and maintain a session, support multi-step login, test every form that is safe to test and no form that is not safe to test, submit valid data, and will not loop and waste time testing identical pages. TRC engineers will examine each potential vulnerability discovered by the scanner to ensure that only actual vulnerabilities will be passed on to you for remediation, and will customize the risk, description, and solution associated with each vulnerability as needed; proofs of concept will be included appropriately. Unless a customer’s Continuous Dynamic Admin has deliberately requested tests that are not considered production safe, only production-safe tests will be run on production sites.

In addition to the service described above, Black Duck also offers Business Logic testing. Continuous Dynamic PE services include one or more Business Logic Assessments (BLAs) a year; in these assessments, experienced Threat Research Center security engineers focus on finding issues automated scanning is unlikely to find. This can include testing sensitive areas of production applications, looking for authentication and authorization issues, process logic flaws, and difficult-to-identify technical vulnerabilities such as blind cross-site scripting or blind SQL injection, as well as searching for vulnerabilities relating to the specific functionality of the application. To complete these tests, the engineer will reach out to the customer point of contact for any additional information that may be needed.

We also offer dynamic testing for standalone APIs. The difference is that, instead of the scanner crawling a site by parsing its HTML, testing depends on the customer providing documentation for a set of API calls. In our AutoAPI service, those become the basis for testing with the Continuous Dynamic engine. The testing is automated, but the results are human-verified. We also offer API Business Logic Assessments (BLAs), where a wider variety of issues are tested for by humans who can understand what the API calls mean.

Black Duck can provide a premium assessment of Android or iOS mobile applications by our dedicated team of mobile security experts in the Threat Research Center. For a premium mobile assessment, the customer will need to provide both the source code and the compiled version of the application directly to the Threat Research Center’s mobile team. The mobile team will examine the application and the application code for issues around the configuration settings, authentication/authorization, session management, data handling and storage, anti-analysis, jailbreak/root detection, cryptography, data handling and storage, server-side controls, and secure coding best practices.