Continuous Dynamic Testing Methodology

If you prefer to read the entire Continuous Dynamic Service Definition section in PDF format, you can view or print here.

Black Duck offers vulnerability assessment throughout the software development life cycle; the testing methodology used depends on whether we are examining code or a site already in production.

Sentinel Source (SAST) Methodology

Sentinel Source offers vulnerability assessments for static code, even before it can be compiled. The Sentinel Appliance retrieves application code from a repository and, using rule-packs to define the conditions under which a vulnerability should be flagged, the scanning engine identifies vulnerabilities in the code. This requires that the TRC engineers work with the client to establish that the appliance has access to the correct repository, that the code is broken into applications correctly, and that it can be processed by the scanning engine. Once the scanning engine has identified potential vulnerabilities, the code snippets in question (which may include YAML configuration files) are passed to the TRC engineers for confirmation, ensuring that the customer only receives actual vulnerabilities.

Continuous Dynamic (DAST) Methodology

Continuous Dynamic offers vulnerability assessments for web applications in production or pre-production. The Continuous Dynamic scanner tests the application based on logical conditions established by the Threat Research Center; it discovers vulnerable behavior rather than being restricted to specific known issues. As new attacks are discovered, the TRC augments this testing to ensure that they are also detected, and those tests are created and updated on a daily basis.

The Threat Research Center will monitor and configure the scanner to ensure that the scanner can find every page, log in and maintain a session, support multi-step login, test every form that is safe to test and no form that is not safe to test, submit valid data, and will not loop and waste time testing identical pages. TRC engineers will examine each potential vulnerability discovered by the scanner to ensure that only actual vulnerabilities will be passed on to you for remediation, and will customize the risk, description, and solution associated with each vulnerability as needed; proofs of concept will be included appropriately. Unless a customer’s Sentinel Admin has deliberately requested tests that are not considered production safe, only production-safe tests will be run on production sites.

In addition to the service described above, Black Duck also offers Business Logic testing. Continuous Dynamic PE services include one or more Business Logic Assessments (BLAs) a year; in these assessments, experienced Threat Research Center security engineers focus on finding issues automated scanning is unlikely to find. This can include testing sensitive areas of production applications, looking for authentication and authorization issues, process logic flaws, and difficult-to-identify technical vulnerabilities such as blind cross-site scripting or blind SQL injection, as well as searching for vulnerabilities relating to the specific functionality of the application. To complete these tests, the engineer will reach out to the customer point of contact for any additional information that may be needed.

API Testing Methodology

We also offer dynamic testing for standalone APIs. The difference is that, instead of the scanner crawling a site by parsing its HTML, testing depends on the customer providing documentation for a set of API calls. In our AutoAPI service, those become the basis for testing with the Continuous Dynamic engine. The testing is automated, but the results are human-verified. We also offer API Business Logic Assessments (BLAs), where a wider variety of issues are tested for by humans who can understand what the API calls mean.

Mobile Premium Methodology

Android or iOS mobile applications can be assessed like any other static code using Sentinel Source; in addition, Black Duck can provide a premium assessment from our dedicated team of mobile security experts in the Threat Research Center. For a premium mobile assessment, the customer will need to provide both the source code and the compiled version of the application directly to the Threat Research Center’s mobile team. The mobile team will examine the application and the application code for issues around the configuration settings, authentication/authorization, session management, data handling and storage, anti-analysis, jailbreak/root detection, cryptography, data handling and storage, server-side controls, and secure coding best practices.