Sentinel Testing Methodology
|If you prefer to read the entire WhiteHat Service Definition section in PDF format, you can view or print here.|
WhiteHat offers vulnerability assessment throughout the software development life cycle; the testing methodology used depends on whether we are examining code or a site already in production.
Sentinel Source (SAST) Methodology
Sentinel Source offers vulnerability assessments for static code, even before it can be compiled. The WhiteHat Sentinel Source Appliance retrieves application code from a repository, and using rule-packs to define the conditions under which a vulnerability should be flagged, the scanning engine identifies vulnerabilities in the code. This requires that the TRC engineers work with the client to establish that the appliance has access to the correct repository, that the code is broken into applications correctly, and that it can be processed by the scanning engine. Once the scanning engine has identified potential vulnerabilities, the code snippets in question (which may include YAML configuration files) are passed to the TRC engineers for confirmation, ensuring that the customer only receives actual vulnerabilities.
Sentinel Dynamic (DAST) Methodology
Sentinel Dynamic offers vulnerability assessments for web applications in production or pre-production. The WhiteHat Sentinel Scanner tests the application based on logical conditions established by the Threat Research Center; it discovers vulnerable behavior rather than being restricted to specific known issues. As new attacks are discovered, the TRC augments this testing to ensure that they are also detected, and those tests are created and updated on a daily basis.
The Threat Research Center will monitor and configure the scanner to ensure that the scanner can find every page, log in and maintain a session, support multi-step login, test every form that is safe to test and no form that is not safe to test, submit valid data, and will not loop and waste time testing identical pages. TRC engineers will examine each potential vulnerability discovered by the scanner to ensure that only actual vulnerabilities will be passed on to you for remediation, and will customize the risk, description, and solution associated with each vulnerability as needed; proofs of concept will be included appropriately. Unless a customer’s Sentinel Admin has deliberately requested tests that are not considered production safe, only production-safe tests will be run on production sites.
In addition to the service described above, WhiteHat also offers Business Logic testing. Sentinel PE services include one or more Business Logic Assessments (BLAs) a year; in these assessments, experienced Threat Research Center security engineers focus on finding issues automated scanning is unlikely to find. This can include testing sensitive areas of production applications, looking for authentication and authorization issues, process logic flaws, and difficult-to-identify technical vulnerabilities such as blind cross-site scripting or blind SQL injection, as well as searching for vulnerabilities relating to the specific functionality of the application. To complete these tests, the engineer will reach out to the customer point of contact for any additional information that may be needed.
Mobile Premium Methodology
Android or iOS mobile applications can be assessed like any other static code using Sentinel Source; in addition, WhiteHat can provide a premium assessment from our dedicated team of mobile security experts in the Threat Research Center. For a premium mobile assessment, the customer will need to provide both the source code and the compiled version of the application directly to the Threat Research Center’s mobile team. The mobile team will examine the application and the application code for issues around the configuration settings, authentication/authorization, session management, data handling and storage, anti-analysis, jailbreak/root detection, cryptography, data handling and storage, server-side controls, and secure coding best practices.