Selection Guidelines – which service is right for you?
Website risk management is not a one size fits all issue. WhiteHat’s goal is to ensure that businesses have options available that suit their specific needs and budgets based on their unique risk exposure. Our family of services address the diverse and ever-changing website security needs of the enterprise and allows customers to choose their service level based upon their risk profile.
WhiteHat Sentinel is currently available in three service levels Baseline Edition (BE), the Standard Edition (SE) and the Premium Edition (PE) for an annual subscription fee. Below is an easy-to-use chart which highlights Sentinel BE, SE, and PE’s common and unique features and benefits. All WhiteHat Sentinel service levels deliver high-quality, accurate, and verified results, and include the WhiteHat Sentinel API that enables integration with existing bug-tracking, security information and event management (SIEM) systems and Web application firewalls (WAF). This information sharing results in improved development practices; more accurate risk assessment; and more effective mitigation strategies. Only WhiteHat Sentinel provides assessment results that are reliable enough to be shared directly with other applications and provide a solid foundation for an effective website risk management program.
| WhiteHat Sentinel Selection Guidelines | |||
| Type of Service | Sentinel BE | Sentinel SE | Sentinel PE |
| Website Type(s) | Website is seasonal or temporary in nature, due to a company’s time- sensitive marketing campaign Has limited or relatively shallow use of forms Has limited or no customer or user log-ins |
Website is a permanent fixture in a customer’s online experience, but is not necessarily mission-critical Has multi-step form-based processes |
Website is a permanent, mission-critical website in which the company relies on serving its customers or business partners Has multi-step form-based processes Has rigorous compliance requirements Requires testing for both technical and business logic vulnerabilities |
| Price Sensitivity | When cost is the main deciding factor, vs. decreasing headcount. |
When cost is less a factor. | When cost is less a factor. |
| Management | User handles the actual management of the service. Requires user expertise and time allocation to manage: – Configuration of scans – Time/frequency of scans – User credentials – Form configuration |
WhiteHat handles the initiation, configuration and tuning of the service, including: – Managing unusual, non-standard URL structures – Scheduling of scan windows and frequency – Handling multi-step or multi- variable logins |
WhiteHat handles the initiation, configuration and tuning of the service, including: – Managing unusual, non-standard URL structures – Scheduling of scan windows and frequency – Handling multi-step or multi- variable logins |
| Competitive Set | Scanning Tool that searches for technical vulnerabilities. Requires clean, verified results |
Scanning Tool that provides verified results without overhead. |
Consultants or internal headcount of website security experts. |
| Threat Type | Random opportunist
Non-targeted attacks: – Script kiddies – Worms |
Directed opportunist Scan far and wide looking for easy opportunities to exploit |
Fully-targeted Focus on specific websites and attack repeatedly and systematically |
| Unique Features | |||
| Business Logic Testing | No |
No |
Yes |
| Proof of Concept
Vulnerability Examples |
No |
No |
Yes |
| WASC 24 | |||
| Configuration | Customer |
WhiteHat configures |
WhiteHat configures |
| Common Features Available Service levels | |||
| Accounts | Unlimited |
||
| Accurate | Virtually eliminates false positives = verified actionable results. |
||
| Asset Discovery | Automatically create/maintain a directory of all organizational websites using the WhiteHat Discovery. |
||
| Communication / Integration | WhiteHat Sentinel’s API and the accuracy of data enables integration with existing bug-tracking (e.g. JIRA) and security information and event management (SIEM) (e.g. Archer Technology) systems. |
||
| PCI App Testing | All levels meet requirements. | ||
| Production Websites | Geared for production environments. No performance impact. | ||
| Prioritization of Risk | All Service Levels | ||
| Protect via WAF Integration | Integrate with leading WAF vendors (e.g. F5 Networks, Breach). | ||
| Scalable | SaaS-based architecture – scales to meet needs of the largest enterprise-class environments. | ||
| Simplified Management | Data is accessible 24/7 to all relevant constituencies from a centralized Web-based portal | ||
| Turnkey | Easy to set up and use. Flexible user-controlled configuration and management. | ||
| Unlimited Assessments | All Service Levels | ||
| Vulnerability Verification | All Service Levels | ||
| Web-based Reporting | All Service Levels | ||
| WhiteHat Education Services |
All Service Levels | ||
| WhiteHat Website Security
Certification Program |
All Service Levels | ||
| Support | |||
| Support | Email |
Email |
Email + Phone |
| Support hours | 8:00-5:00 PM PT M-F | 8:00-5:00 PM PT M-F |
8:00-5:00 PM PT M-F |