WhiteHat Dynamic

Web application security for modern and

traditional web frameworks and applications

Modern organizations WhiteHat Dynamic

deploy a plethora of web WhiteHat™ Dynamic is a software-as-a-service (SaaS) dynamic application security
applications, ranging testing (DAST) solution that allows your business to quickly deploy a scalable
from external-facing web security program. No matter how many websites you have or how often they
change, WhiteHat Dynamic can scale to meet any demand. It provides security and
corporate websites,
development teams with fast, accurate, and continuous vulnerability assessments of
customer portals, applications in QA and production, applying the same techniques hackers use to find
shopping carts, and weaknesses, so you can remediate them before the bad guys exploit them.
login pages to internal- WhiteHat Dynamic is a cloud-based solution that requires no hardware or scanning
facing HR portals. software to be installed. It provides
Web applications are • Unlimited, continuous, and concurrent assessments
an appealing target • Automatic detection and analysis of code changes in web applications
for hackers, because • Open API integration to security information and event management solutions, bug-
they can exploit tracking systems, and web application firewalls
vulnerabilities in these WhiteHat DAST fits into any environment and is highly scalable, with the ability to
assess thousands of websites simultaneously. Furthermore, all vulnerabilities are
business-critical
verified by Synopsys security experts, virtually eliminating all false positives.
applications to gain
access to back-end Powered by artificial intelligence and machine learning
corporate databases. WhiteHat Dynamic brings together machine learning (ML), artificial intelligence (AI), and
expert vulnerability analysis to deliver the most accurate dynamic application security
testing results, so you can verify the security of your web applications without slowing
down developers with false positives.

Years of valuable data gathered by our highly trained security experts is used to
develop our proprietary AI/ML models. This approach provides fast, automated results
augmented by expert validation, enabling earlier detection and faster response to
cyberattacks.

How WhiteHat
Dynamic works
WhiteHat Dynamic combines
automated application scanning
Onboarding Initial scanning Website assessment Reporting
with the world’s largest security
expert team to provide you Customer provides Discovery, Unlimited assessments, Results displayed
with verified vulnerabilities and URLs, logins, and fine-tuning, and vulnerability detection, in a portal with
actionable reports. schedule configuration and verification customizable
reports

| synopsys.com | 1
Choose the WhiteHat edition best suited to your needs
WhiteHat PE (Premium Edition) WhiteHat SE (Standard Edition) WhiteHat BE (Baseline Edition)

• For mission-critical permanent websites • For permanent websites that are not • BE is the foundational solution for basic,
with multistep forms and rigorous necessarily mission-critical less-critical websites
compliance requirements • Includes all BE features and tests for • Includes automated scanning and
• Includes all SE features and business issues involving multistep forms and vulnerability verification, ideal for lower-
logic testing logins risk websites

FEATURE DESCRIPTION PE SE BE

Websites are scanned continuously to automatically detect code

Continuous assessment
changes to web applications. ● ● ●
All vulnerabilities are manually verified by security experts and
Vulnerability verification
augmented by AI, virtually eliminating false positives. ● ● ●
Websites can be retested on demand after detected vulnerabilities
On-demand retests
are remediated to confirm that they have been fixed. ● ● ●
Only production-safe payloads are used, ensuring no degradation in
Production safe
performance. ● ● ●
Access to WhiteHat security Unlimited and direct access to security experts via the portal to
engineers provide remediation guidance. ● ● ●
A single score provides an instant, visual overview of the robustness
WhiteHat Security Index (WSI)
of your website security. ● ● ●
Testing internal QA/staging Internal preproduction/staging environments can be rigorously
environments tested to catch vulnerabilities before they reach production. ● ● ●
Enterprise-class reporting and analytics with business-unit-level
Flexible reports, analytics, and aggregation of data in flexible formats provides an overview of
peer benchmarking security trends for all your websites, and benchmarks your score ● ● ●
against industry averages.

Single page applications scanned in a production-safe and fully

Single-page applications
automated manner. ● ●
Full configuration and form Scanners can be configured to safely scan websites with forms and
training logins. ● ●
Automated and authenticated site scanning, including those that
Authenticated scanning
require multifactor authentication. ● ●
Manual penetration testing of the application layer finds complex
Business logic assessments business logic vulnerabilities that cannot be discovered by scanners ●
alone.

| synopsys.com | 2
What Makes WhiteHat Dynamic Unique
Enterprise-class reporting in flexible formats
Understand the performance of your security programs and improve application security posture with powerful built-in reports. Advanced
analytics capabilities monitor trends and key statistics such as remediation rates, time-to-fix, and age of the vulnerabilities. Trending
analysis tracks real-time and historical data to measure your risk exposure over time and provide you with visibility into your most- and
least-secure websites at a glance.

WhiteHat Security Index

The WhiteHat Security Index (WSI) gives you an instant, visual overview of the robustness of your website security, providing one score
that indicates overall application security. Calculated from a comprehensive set of indicator data and based on our extensive experience
with intelligence metrics and our broad base of customers in a variety of industries, this score truly reflects the state of application
security across all your websites. With WSI insights, you can reduce risks, save time, prioritize activities, and improve overall security.

Easy to deploy, concurrent, and scalable

WhiteHat Dynamic is an easy-to-deploy cloud-based dynamic security testing solution that can onboard and test over 10,000 websites
concurrently without slowing you down. It is scalable to fit any environment and matches your pace of development.

Continuous assessment methodology

WhiteHat Dynamic offers true continuous analysis, constantly scanning your website as it evolves. Automatic detection and analysis of
code changes to web applications, alerts for newly discovered vulnerabilities, and the ability to retest a vulnerability without having to test
from the beginning offer an “always on” risk assessment.

Production safe
WhiteHat Dynamic is completely safe for production websites with no performance degradations. Data integrity is assured by using
benign injections in place of live code, and custom tuning of scans permits full coverage without performance impact.

Verified, actionable results with near zero false positives

Every vulnerability is validated by security experts and augmented by AI, virtually eliminating false positives. This enables you to streamline
the remediation process, prioritize vulnerabilities based on severity and threat, and focus on remediation and your overall security posture.

Open API integration

WhiteHat Dynamic can be integrated with popular bug-tracking systems; security information and event management solutions;
governance, risk, and compliance products; and web application firewalls (WAFs).

Unlimited access to web security experts

With WhiteHat Dynamic, you have unlimited access to expert web application security testers and custom remediation guidance. The “Ask
a Question” feature enables you to access security experts at any time, right from the portal.

PCI compliance
WhiteHat Dynamic exceeds the requirements of PCI DSS 3.1 by providing ongoing, verified vulnerability assessments for both internal
and public websites. WhiteHat PE includes business logic assessments and penetration testing as required by PCI DSS. Integrations with
WAFs support the creation of virtual patches to fix vulnerabilities while providing the reports needed for auditor inspections.

Fully automated single page application scanning

WhiteHat DynamicT provides fully automated scanning and testing of single-page applications as well as traditional applications. It loads
your web application into a browser and interacts with it the same way a user would. Production-safe assessments find vulnerabilities
other traditional scanning tools miss.

| synopsys.com | 3
WhiteHat Dynamic | Detectable Vulnerabilities
Technical Vulnerabilities
WASC Threat Classification 2.0 • HTTP Response Splitting OWASP Top 10
• Application Misconfiguration • Improper Output Handling • A1 - Injection
• Directory Indexing • Mail Command Injection • A2 - Broken Authentication and Session
• HTTP Response Smuggling • Path Traversal Management
• Improper Input Handling • Routing Detour • A3 - Sensitive Data Exposure
• Insufficient Transport Layer Protection • SSL Injection • A4 - XML External Entities (XXE)
• OS Commanding • Injection • A5 - Broken Access Control
• Remote File Inclusion • Cross-Site Scripting • A6 - Security Misconfiguration
• SQL Injection • Format String Attack • A7 - Cross-Site Scripting (XSS)
• XML External Entities • Improper File System Permissions • A8 - Insecure Deserialization
• XQuery Injection • Information Leakage • A9 - Using Components with Known
• Content Spoofing • Null Byte Injection Vulnerabilities (Out of Scope)
• Fingerprinting • Predictable Resource Location • A10 - Insufficient Logging & Monitoring
• Server Misconfiguration (Out of Scope)
• URL Redirector Abuse
• XPath Injection
Note: A compatible list per product line available
upon request

The Synopsys difference

Synopsys provides integrated solutions that transform the way you build and deliver software, accelerating innovation while addressing
business risk. With Synopsys, your developers can secure code as fast as they write it. Your development and DevSecOps teams can
automate testing within development pipelines without compromising velocity. And your security teams can proactively manage risk and
focus remediation efforts on what matters most to your organization. Our unmatched expertise helps you plan and execute any security
initiative. Only Synopsys offers everything you need to build trust in your software.

For more information about the Synopsys Synopsys, Inc. U.S. Sales: 800.873.8193
Software Integrity Group, visit us online at 690 E Middlefield Road International Sales: +1 415.321.5237
www.synopsys.com/software. Mountain View, CA 94043 USA Email: [email protected]

©2022 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at
www.synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners. October 2022

| synopsys.com | 4