As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.
WhiteHat Sentinel Remote Provider (ThreadFix 3.X)
You will learn
How to create a scan and determine vulnerability status in WhiteHat.
Prerequisites
Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 15 minutes
Tools required: N/A
For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API
Introduction
WhiteHat doesn't manage application scanning in a typical way. There is no concept of a scan file to indicate an atomic scan action with a start and an end, so ThreadFix must artificially create that concept. Additionally, vulnerabilities can evolve over time within WhiteHat with multiple attack vectors being identified. Each attack vector will have its own properties around found and tested dates and will have its own state which could be distinct from the parent vulnerability state. ThreadFix manages all this data in a very specific way as described below.
Application Fetch
The following WH endpoint is used to fetch applications:
More information can be found at the WhiteHat Security Developer Portal
Scan Fetch
WhiteHat does not provide an endpoint to fetch 'scans'. Instead, it provides an endpoint that is used to fetch all vulnerabilities. ThreadFix uses the following endpoint and parameters to return vulnerabilities for a specific application. For EU region, substitute https://sentinel.whitehatsec.com for https://sentinel.whitehatsec.eu.
Fetch last completed scan based on Site ID
https://sentinel.whitehatsec.com/api/site/{site_id}?display_links_last_completed_scan=1&key={apiKey}
Fetch all vulnerabilities based on Site ID
https://sentinel.whitehatsec.com/api/vuln?key={apiKey}&display_description=1&display_solution=1&display_attack_vectors=1&display_risk=1&display_impact=1&display_likelihood=1&display_custom_risk=1&query_site={site_id}&page:order_by=modified_desc
Vulnerability Parsing
Much like other XML parsers when hitting the 'vulnerability' tag ThreadFix pulls the following data:
Native Id
Vulnerability code
Severity code
URL reference
When the parser hits 'attack vectors', each one is parsed for the following pieces of information:
Tested date
Attack vector state
Found date
These are used to create a DateStatus object, which is used to determine the scan to which each finding belongs.
The scanDateList List is used to create "scans" later.
Initial Scan Creation
The first time results are imported for an application in WhiteHat into an application in ThreadFix, scan objects will be created on behalf of WhiteHat in one of two different ways depending on how the Remote Provider connection has been configured.
To ensure that the bulk import does not abort prematurely, a remote provider integration should be setting the latest import status to `NO_SCANS` when an application is found to have no scans.
All Vulnerabilities
If the user selected the "All Vulnerabilities" option when configuring their remote provider, then ThreadFix will create as many artificial "scan" objects as required to encapsulate all historic data for both open and closed vulnerabilities in WhiteHat. The way scans are defined when pulling old data from WhiteHat is based on a grouping performed around the WhiteHat vulnerabilities and their attack vectors' found and tested dates. Put simply, ThreadFix bundles WhiteHat vulnerabilities into scans with a scan date based on when an attack vector was found and last tested grouped into calendar days.
Open Vulnerabilities
If instead of "All Vulnerabilities", "Open Vulnerabilities" was selected when configuring the remote provider, ThreadFix will pull in only the open vulnerabilities in WhiteHat, and they'll be bundled into a single initial scan object. ThreadFix will not pull in any data related to closed vulnerabilities in WhiteHat. All subsequent imports will create new scan objects using the method described above for all vulnerability updates after the most recent import.
When there is no scan data to import, a “No scans were found” message will display as the Last Import Attempt Status.
Determining WhiteHat Vulnerability Status
Because of the unique nature of the WhiteHat findings, some logic needed to be employed to map their concept of Vulnerabilities and Attack Vectors to the ThreadFix concept of Findings, taking into account the different States each Attack Vector could have as well as the different Found Dates and Tested Dates. The following table describes how ThreadFix determines if a WhiteHat Vulnerability is Open, Closed, or a False Positive. It shows a hypothetical WhiteHat Vulnerability with 3 Attack Vectors within it. The statuses of the Vulnerability and the Attack Vectors are listed, with the resultant ThreadFix Finding status listed in the bottom row.
Status | ||||
---|---|---|---|---|
WH Vulnerability | Open | Closed | Open | False Positive |
WH Attack Vector 1 | Open | Any Value | NOT Open | Any Value |
WH Attack Vector 2 | Any Value | Any Value | NOT Open | Any Value |
WH Attack Vector 3 | Any Value | Any Value | NOT Open | Any Value |
ThreadFix Finding | Open | Closed | False Positive | False Positive |
Verified Findings
Findings that have been marked as "Verified" in WhiteHat Sentinel will be provided a status of "Scanner Exploitable" in ThreadFix, as highlighted below.
Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.