WhiteHat Security Complete Website Vulnerability Management
WhiteHat Sentinel runs assessments for the 24 Web Application Security Consortium (WASC) vulnerability classes such as Cross-Site Scripting, Directory Traversal, and SQL Injection. You can find explanations about these vulnerability classes in the Sentinel Glossary, located under the Resources tab.
The methods used by attackers to exploit vulnerabilities are constantly evolving; thus, part of the WhiteHat Sentinel Service includes ongoing refinement of testing patterns to ensure that Web applications are tested against the latest attack variations.
What is the difference between Threat and Severity?
Threat and Severity levels are standard ranking systems developed by the Payment Card Industry (PCI) Security Standards Council. Specifically, the severity level for a vulnerability measures the potential business impact if exploited,
and threat level indicates how easily it can be exploited.
How do I use the Web API?
The Sentinel Web API allows you to retrieve your own vulnerability, site, and and schedule information in XML format from WhiteHat. This data may then be integrated into your developer defect tracking systems or security information
management systems (SIMS). You can access the Web API instructions by logging on to Sentinel, clicking on the Resources tab, and selecting the API Reference link.
What are the hours of operation for Customer Support & Response Times?
Service Request Response Time: (Cases submitted/logged via the customer support portal during business hours: M-F, 6:00 AM – 7:00 PM PT
Standard Support – Next business day
Silver Support – 8 business hours
Gold Support – 1 hour – Critical (24×7), 4 hours – Serious
What is the difference between the executive summary and the full report?
The difference between the two reports is most apparent when comparing reports that include all sites. Both reports contain a graphical overview and vulnerability overview of vulnerabilities across all sites at once, as well as the WASC
vulnerability classifications and a Web security glossary.
The full report also includes per-site chapters with statistical graphs and vulnerability details for each site. This information is useful for developers to understand and fix the vulnerabilities in their custom code.
I ran a scan last night, but I have no vulnerabilities in my Findings page. Does that mean there are no vulnerabilities in my website?
Almost all Web applications have at least low-level vulnerabilities, so the complete lack of any findings on your interface after a scan has been completed usually means the vulnerabilities are being verified by human eyes. To prevent false positives, vulnerabilities only appear in your Findings page after they have been verified. The WhiteHat Operations team verifies vulnerabilities during normal business hours in Pacific Standard Time.
How can I make the scans go faster or slower?
Scan speeds can be increased by clicking on a site on the Sentinel interface, clicking the Settings submenu, and increasing the number of HTTP requests sent by the Sentinel scanner per second. By default, all scans are set at a medium speed, which is no more than four requests per second single threaded. The
Sentinel scanner requests will match the response times of the target website, so if your site contains pages that load slowly, this will effect the frequency of requests the scanner can make, which lengthens the overall scan time.
I just scheduled a scan to run until completion. How long is this scan going to take?
WhiteHat Sentinel scans run “low and slow”, meaning that scans are specifically designed to have no discernible effect on your website’s performance. The length of time it takes for a scheduled vulnerability assessment to complete depends on various factors, such as the number of pages to assess, the load time of each individual page, and the speed (number of requests per second) indicated in the site’s settings in Sentinel. Keep in mind that your first findings will not appear in your interface until after they have each been verified by a member of the Operations team.