General information about security portal
Introduction
Hey there! Welcome to Whitespots Security Training. In this course, you will learn how easy it is to implement DevSecOps practices into your development lifecycle. Our platform is designed to discover vulnerabilities and immediately notify your developers about verified and unique findings detected by any of your favorite scanners.
You can configure rules, schedule automated scans, automatically validate and deduplicate vulnerabilities, and even use your own custom scanners. The portal also supports integrations with Jira, Slack, GitHub, GitLab, and other software. The vulnerability management capabilities provided by Whitespots are almost limitless. We will teach you how to use all of these features in this course.
In the first part of the course, we will start getting familiar with the portal and go through its installation and initial configuration. After each lesson, you’ll have a short quiz to help you check your understanding of the material covered.
Dashboard
Let’s start with the dashboard. Here, you’ll see summary information for all products. This information is divided between the following sections:
-
Current Weighted Risk Trend Shows the WRT metric, which is a numerical measure of the current security state.
-
Severity Statistics An overall statistic of findings, showing how many are critical and how many are not.
-
Trend History A graph showing the risk trend across all products.
-
Key Performance Indicators Statistics on unverified, verified, and resolved findings, along with a graphical display of risk appetite.
-
Mean Time of Status Change A graph showing how much time was required to resolve issues from the moment they were created.
-
Findings Count
Shows how many vulnerabilities were rejected automatically and how many manually.
Metrics can be customized. Simply click on the gear icon located above the corresponding block to configure metrics and get information in the section you need.
Creating a Product
A product is a logical entity to which everything else is linked. Each product has other entities linked to it, assets, findings, risks, options, etc
Let’s create a test product. To do this, select the Product tab in the menu. Inside the tab, you will see information about current products. To create a new product, click on the ”+ product” icon on the right side of the screen.
For testing purposes, we will create a product with default settings. Its name doesn’t matter, in our tutorial we’ll call it Unsorted.
Now the empty product Unsorted appears in the list.
Click on it to see the details. In the Options tab, mark it as default, so new assets that haven’t been assigned to any product yet will go to this product.
First Scanning
To start the scanning process, you need to add some code and commit changes to the repository. Right after you do that, it will be triggered automatically. Usually it takes about 20 to 30 seconds to complete the scan. We have a hardcoded key, which is covered by a validation rule. You could edit the rule if you are not satisfied with its decision. Meanwhile, vulnerabilities will be sent to the Security Portal, where you can view them in the newly created product.
Go to the Findings section, subsection Verified. Here you can find detailed information about them: tags, git branch, file path, and description.
Now in the Auto Validator section, open the rule and see why this issue was marked as verified. If vulnerability has special markers which we see as a pattern, it’s considered as false positive or confirmed.
Now we can check in the Asset tab that a new asset was created. Its name is Vulnerable-Python-App.
Integration with IDE
On a next step, let’s go to our IDE, which is currently represented by WebGit IDE. Take a look at this vulnerability in GitLab. Please note that the vulnerability is highlighted directly in the code. Then push a commit and create a merge request.
You’ll see that comments appeared on the merge request. In our example, there’s an information about 5 verified and 2 unverified issues to be fixed before merging. There are also comments on specific lines where vulnerabilities were identified.
📌 What we learned in this lesson:
- How to get familiar with the dashboard: what sections it contains, what metrics it shows, and where it could be customized.
- How to run the scan, view the results in the portal, review vulnerability details, and saw how validation rules work.
- How to use integration with IDE and Git to see comments and recommendations directly in the code and during the merge process.
Please make sure to complete the quiz before proceeding to the next lesson.