WhiteHat Security today is debuting version 3.0 of its WhiteHat Sentinel, a continuous vulnerability assessment
and management service for Web applications. New features to the service include a one-click vulnerability retest and the Inspector technology for building a knowledge base of defect patterns.
WhiteHat Sentinel combines both automated scanning technology and human assessment and review, and it is designed to be available to customers any time their Web site changes.
"We don't pretend to find more than a consultant would find in an in-depth, one-time fashion. We do what they do every week, in a cost-effective fashion," said Stephanie Fohn, CEO of WhiteHat Security Inc. in Santa Clara, Calif. "When we entered the market [in 2003] there were two choices: Hire a consultant, which companies typically did once a year, and spend a lot of money and find your vulnerabilities at one point in time. Then the Web site changes and that information becomes irrelevant. The other choice was to buy a [vulnerability] scanning tool, but you only find about half of the WASC [Web Application Security Consortium] vulnerabilities. A tool can help, but it's not comprehensive."
Fohn said WhiteHat provides the ability to do an assessment every time a Web site changes, but the product was designed as an outsourced service so it would be easy to manage. Customers decide how often they scan; a typical customer scans once a week in addition to ad hoc scanning when a Web application changes, according to WhiteHat. In addition, WhiteHat professionals review the findings and include in their reports to customers only vulnerabilities that are valid.
"We verify all results so customers are not sifting through a 1,500-page report," said Bill Pennington, vice president of services.
"It's very efficient for customers to get up and running," Fohn said. "It's all about giving them the right information to repair vulnerabilities quickly."
Now in version 3.0, Pennington said the once-click vulnerability feature will enable customers to retest fixed code in real time.
"The scan identifies certain vulnerabilities. We alert you, and you log in and get details," Pennington said. "The developer fixes the problem, and you can go and see if WhiteHat believes it's solved. You can click the button and our scanner will test that single vulnerability to see if still exists. If the vulnerability is fixed, we will close it out. No other scanner offers that."
And with the patent-pending Inspector feature, the vulnerability scanner can now identify defect patterns, which will alert WhiteHat's operations team to do more testing. Once the new vulnerability is identified, it will be automatically scanned for, so it is a repeatable process that can benefit all customers, Pennington said.
Other new features in WhiteHat Sentinel 3.0 include integration with bug tracking systems through a Web services API; "Ask a Question," which allows users to send questions via a Web interface and receive answers specific to that company; customized threat levels for enhanced remediation prioritization; and simplified Payment Card Industry (PCI) reporting, which uses the PCI scale to identify the level of severity.
WhiteHat Sentinel has a tiered pricing structure based on the number of applications. List price for one application is $24,000 per year.