Time
1 hour 13 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

This tutorial takes you through the WhiteHat Sentinel control panel for developers

Video Transcription

00:00
Welcome to White Out Security's Sentinel training for developers.
00:04
In this tutorial, we will cover the following sections of the Sentinel interface
00:10
summary
00:12
assets
00:14
findings,
00:15
schedule
00:17
reports
00:19
and profile
00:28
under the summary tab. In the update section, we show you any recent or upcoming changes to the saddle interface or service,
00:36
including dates and links to related articles.
00:40
Be sure to check here occasionally
00:42
and in the system maintenance section.
00:44
Here is where we will communicate any scheduled or emergency maintenance announcements, including start times and expected duration.
00:52
Please note. In the event of an emergency maintenance bulletin,
00:55
this section will become the default landing page when logging into sentinel
01:00
to make sure you don't miss it,
01:07
the asset section shows you these sites and applications under contract for sentinel service
01:14
sites. Are those applications using our dad asked, or dynamic application security testing solutions
01:21
while atz are those applications using our SAS TTE or static application security testing Solutions.
01:27
Let's focus on sites first
01:30
on the Sites tab, you'll see a list of sites by sight name.
01:34
For each site, you will see the service level.
01:37
This could be our baseline standard
01:40
premium or pre launch additions
01:44
the next column will display the number of open vulnerabilities for that site.
01:49
The scan schedule and Time zone columns will show the schedule and time zone for each site.
01:53
Von Data provides a quick link to the vulnerability detail report for that site,
02:00
and lastly,
02:00
status provides an icon based summary on the overall health of your scans.
02:06
Using a stoplight analogy,
02:07
a status with a green icon
02:09
indicates everything is good to go,
02:13
and the site is either being scanned or his paws as dictated by the schedule.
02:17
A yellow icon indicates configuration is being done on the white hat side,
02:23
and scanning will resume once to configuration is complete.
02:27
A red icon indicates we are missing something to scan your sight.
02:30
That being either a scan schedule
02:32
or Valli credentials,
02:36
you can also click on the legend status icons
02:38
for more information on the individual icons and their meanings.
02:43
You know also have the option to export this page to a C s fi file by using the export C. S. V file link,
02:50
allowing you to view this information in excel
02:53
or other program of your choice.
02:57
Now let's take a look at the AP stab
03:00
similar to the sites tab.
03:00
This section will list all your sentinel source applications currently under service
03:07
under application name.
03:08
You will see both the name and language of your application.
03:13
Total findings will provide the count of open vulnerabilities for your application.
03:19
The phone data provides a quick link to the vulnerability report for the application,
03:23
and lastly, the compliance section will show if the application is currently in PC I. Compliance or not,
03:30
this is a bit more complicated to discuss than the scope of this training module, so it will be explained in more detail at a later time.
03:38
And as before, you can filter your results.
03:45
Under the group's tab,
03:46
you will see a list of all groups you've created.
03:49
Groups are a good way to easily assign access to team members for just the sights and APS they need to see.
03:55
As you can see in this example,
03:58
we have a group for our production sites and one for our pre production sites.
04:01
When I create a new user, that's part of my production team.
04:04
I can just add him or her to the group,
04:08
and they will then have access to all sites and APS in that group.
04:11
It definitely beats having to add a site, are apt to user on a one by one basis.
04:21
In our previous tutorial, we covered the basics of the assets tab.
04:26
Now we're going to drill down a little deeper into what you can access per site or per app.
04:32
First, let's click on one of our sites here.
04:35
We now see we have some additional functions we can access as well as additional information.
04:43
In the overview section, we summarize various information about your sight, including site, name,
04:48
service level and more.
04:50
In this section, I want to draw your attention to the Link Information Area.
04:56
As we call your sight,
04:57
we will find more and more pages.
05:00
We provide you a list of the pages tested in the current scan
05:03
as well as the last completed scan.
05:05
These will be links you can click on to see the list.
05:11
We also show you the primary host name and any associated host names for your site
05:15
and on the far right,
05:17
we show you the priority set for your site as well as the global and industry ranks.
05:23
These ranks give you an idea of how your sight compares
05:27
to other sites scanned by White House security
05:30
site. Findings will take you to the findings information for just this site.
05:36
Now let's go back to the apse tab
05:40
and drill down on one of our applications
05:43
here. You will find some information regarding your application,
05:46
such as application name,
05:48
language,
05:49
scan schedule
05:50
and so forth.
05:53
As with the site section, you can click on AP findings to see the vulnerabilities for this specific application.
06:05
The findings is the section where you will find all the information for vulnerabilities found in your sights and applications.
06:13
As with other sections, the information is divided by sites,
06:17
APS and groups.
06:18
So let's take a look at the wealth of information available to you
06:24
When looking at the list of vulnerabilities, we see the following. For each vulnerability found.
06:30
Each vulnerability is given a unique vulnerability. I D
06:33
Volin status will show if a vulnerability is open or closed.
06:39
The score is a combined score of the severity, threat and site priority,
06:45
and we see the severity of the vulnerability in the next column.
06:48
The severity is measured on a scale of 1 to 5 and is a measurement of the amount of damage we believe could be done. Should the vulnerability be exploited,
06:59
we'll discuss threat when we drill down further into a specific vulnerability.
07:02
Under retest bone,
07:04
the icon under type indicates whether the vulnerability was found by sentinels automated assessment
07:12
illustrated by a computer icon
07:14
or found during the business logic assessment,
07:16
illustrated by a green check mark.
07:19
The status shows if a retest is available,
07:23
unavailable or pending.
07:26
If an automatic retest is unavailable,
07:28
this is usually caused by Sentinel not being able to access the site.
07:32
We also show the last day tested, date open
07:36
and date closed for vulnerability.
07:40
Next, we show the class of vulnerability based on the last two classifications.
07:46
You then have the site on which the vulnerability appears
07:48
the service level of that site and tags a note you can specify for each vulnerability.
07:56
If you wish to have a vulnerability retested,
07:59
simply click the checkbox on the far left for all vulnerabilities to be retested.
08:05
Then click the retest vulnerability button to start the retests.
08:09
For automatic retest, they should complete within 15 to 30 minutes
08:13
for manually retested vulnerabilities. These generally are completed within one business day.
08:18
Now let's drill down a little deeper into a specific vulnerability.
08:24
First from this page, if you click the Black Arrow icon, this will then display the open attack vectors found. For that vulnerability.
08:33
The attack victor shows where on the page
08:35
the vulnerability can be found.
08:37
Therefore, you can have multiple attack Victor's per vulnerability per page on your site.
08:45
As with the vulnerabilities, each attack vector is given a unique I. D.
08:50
You can also click on the vulnerability I D to go to the Vulnerability detail page.
08:56
This page gives you the basic information on the vulnerability providing its Class
09:01
I D
09:03
location
09:03
gate open
09:05
how many days the vulnerability has remained open
09:07
and the loan status
09:09
on the right side. We have some information on the retest ability of the vulnerability as well as the score information
09:16
stated previously.
09:18
The score is the sum of the severity, threat and site priority.
09:22
The threat of a vulnerability is also rated on a scale of 1 to 5, and it measures the ease of which a vulnerability can be exploited
09:31
if the threat is high. For example, five. This means the vulnerability is very easy to exploit and can be done with very little knowledge or expertise.
09:41
Ah, threat of one, however, is very difficult to exploit and other requires expertise or intimate knowledge of your company.
09:50
Here we see the open attack vector information.
09:52
This particular vulnerability has
09:54
one open attack vector.
09:56
We show the method
09:58
date found
09:58
last retest, and you can also provide any notes per attack vector.
10:03
You can also drill down for attack Vector for even more detail,
10:07
such as the scanner request scanner response,
10:11
attack vector description and attack vector notes.
10:15
And if you have closed any attack Victor's, you will find those here.
10:20
The details and Solution section will give you some information on the vulnerability,
10:24
including references,
10:26
some information on remediating, the vulnerability
10:30
and, if available, a proof of concept.
10:31
Where are TRC will provide you the necessary information to demonstrate and reproduce the vulnerability.
10:39
Finally, we have the ask a question tab.
10:43
This allows you to ask a question about this specific vulnerability
10:46
and have a dialogue with the TRC engineer who worked on this vulnerability.
10:52
All dialogue is then log here.
10:54
You can use this form to ask for additional information
10:58
or additional help on a vulnerability.
11:05
The schedules tap provides a summary of the scan schedules and status for all your sights and APS under service.
11:11
For sites,
11:13
you can view the sites listed by name
11:16
and the respective scan schedule and time zones.
11:18
As with the Assets page, we also show you the scan status.
11:24
The same is true for the apse section.
11:26
You can view the sites listed my name
11:28
and the respective schedule,
11:31
time zone and status.
11:39
White Hat Sentinel provides various reports, so let's take a look at the report section
11:45
and the reports available to you
11:48
from the report type dropped down. You have eight different reports from which you can choose
11:54
the executive summary and site. Summer reports are designed for executive staff
11:58
and provide a high level overview of your sights,
12:01
including colorful charts and graphs,
12:05
the Vulnerability Detail and Attack Vector. Detailed reports are designed for developers providing detailed information on the vulnerabilities,
12:13
helping your developers re mediate
12:15
open vulnerabilities.
12:16
The P C. I in sight security statement reports are designed more for auditors.
12:22
The PC I report provides some guidance with payment card industry standards
12:26
and which opened vulnerabilities would put you in jeopardy of failing compliance.
12:31
The science security statement report provides information on how you are addressing security for your sights and what White hat is doing to help with that.
12:41
The long running scans and completed scans reports provide information useful to sentinel administrators to help understand what is happening with the sights regarding automated assessments.
12:52
For each of the reports, you will be able to select the sights wanted and then other options specific to the report type
13:01
for the vulnerability and Attack Vector reports.
13:03
You'll be able to narrow the report by vulnerability, status,
13:07
vulnerability classes and so forth.
13:09
Once you have your options selected, just click. Generate Report to get the PDF or C. S v file.
13:18
The Beta reports currently offer seven new baby reports that use a new generation of reports we are developing
13:24
and are in the beta stage right now.
13:33
From the My Profile page,
13:35
you can control your profile information
13:37
as well as do some other account maintenance.
13:41
By clicking on edit,
13:41
you can update your personal information such as name,
13:45
job, title, et cetera.
13:48
Here is where you can also specify your email options,
13:50
and if you wish to expose host names
13:54
when you've updated your information, just click on save changes.
13:58
You can also change your password.
14:00
You will need to enter your current password
14:03
new password
14:03
and confirm your new password before clicking. Save changes
14:09
from this page. You can also add a P G. Peaky. If you're male, Super isn't able to do so in order to receive secure emails from Sentinel.
14:18
If you have any questions, please don't hesitate to contact us.
14:22
You can re support, but going to https colon slash slash support dot white hat sec dot com and logging in to our customers Success portal.
14:33
You can also send us an email to support at white hat sec dot com or call us at 408343
14:41
8340 during our normal business hours Monday through Friday 6 a.m. to 7 p.m. Pacific time.
14:50
Thank you for watching

Up Next