Veracode has recently introduced a new feature called Dynamic Analysis MFA, which provides automated support for multi-factor authentication (MFA) setups during dynamic analysis scans. This eliminates the need for you to disable or manually support your MFA configurations when conducting security testing.
Understanding Dynamic Analysis MFA
When we log into applications, we usually use a username and password, which is considered one-factor authentication. However, to enhance security and reduce the risk of passwords being lost or stolen, multi-factor authentication (MFA) was introduced. MFA adds an extra layer of security by requiring an additional step, such as using a hardware key, receiving a text message, or entering a code from an authenticator app.
MFA has become more common for web applications as web security becomes a higher priority, but some security testing tools require users to disable or manually support their MFA setups during application security testing. This can be disruptive and challenging for security professionals and developers.
Veracode addresses this challenge with Dynamic Analysis MFA, which provides automated support for your MFA setups during dynamic analysis testing. Instead of turning off or manually supporting MFA during testing, you can now configure Time-Based One-Time Password (TOTP) seed credentials generated from your MFA account providers (e.g., Google Authenticator) in your scan configurations or REST API. This allows your dynamic scans to automatically support your MFA setup throughout the test.
How Does Dynamic Analysis MFA Work
You can configure TOTP seeds as scanner variables in within your Dynamic Analysis interface scan configurations or REST API.
Scan Configurations: Add a reference key and value for the TOTP seed under "Scanner Variables" while configuring your dynamic scan.
REST API: Create a scan engine variable with the desired description, reference key, value, and set the TOTP property to “true”, then send the following request:
Once the TOTP seed is configured, Veracode's dynamic engine automates the entire MFA process, without disrupting the dynamic analysis scan. The scan will use the TOTP seed to generate the one-time password at runtime and automatically input it into the site to support your MFA setup. Dynamic Analysis MFA is compatible with any MFA authenticator using the TOTP protocol that can be configured with a seed.
Learn more about how to get started with Dynamic Analysis MFA here.
Build Fast. Build Secure.
Dynamic Analysis MFA brings more automation to your application security testing. You no longer have to disable or manually support MFA setups during dynamic analysis scans, reducing disruption while enhancing overall security.
Dynamic Analysis MFA marks the newest advancement in Veracode Dynamic Analysis (DAST), a comprehensive suite of vulnerability scanners dedicated to strengthening the security of your web applications and APIs. Aligned with OWASP security standards, Dynamic Analysis helps you detect and manage critical runtime vulnerabilities with minimal false positives, offering actionable insights for threat mitigation. Contact our team today to request a personalized demo of Veracode Dynamic Analysis, tailored to your specific needs.
Integrated into the Veracode Dynamic Analysis portfolio, Veracode DAST Essentials offers a free 14-day trial that makes it easy for you to initiate security scans of your applications and APIs within minutes. Try for free today (no credit card required).