/apr 2, 2019

Veracode Dynamic Analysis: Reduce the Risk of a Breach

By Bhavna Sarathy

This blog post has been updated as of April 2, 2019

Veracode Dynamic Analysis is a dynamic scanning solution that features automation, depth of coverage, and unmatched scalability. Built on microservices and cloud technologies, the Veracode Dynamic Analysis solution is available on the Veracode SaaS platform. Veracode Dynamic Analysis helps both vulnerability managers tasked with safeguarding the entire web application portfolio, and AppSec managers tasked with safeguarding critical applications in pre-production. With the frameworks developers use to build web applications changing often, and the push toward single page applications, Veracode Dynamic Analysis gives you the automated dynamic scanning you need to find vulnerabilities quickly and accurately.

Benefits of Scheduling Automation

Consistent dynamic scanning is key to keeping your web applications safe, and consistent scanning is achievable with an automated dynamic scanning solution. Imagine your CISO tells you to scan your web apps as often as feasible. Depending on remediation frequency, you come up with a quarterly, monthly, or weekly scanning schedule. To add additional complexity, IT gives you a maintenance window when dynamic scanning cannot occur. If you’re part of a global company, you also have time zones to contend with, making it virtually impossible to depend on a manual pause and resume, not to mention the inconvenience of waking up at 3:00 AM to pause a running scan. With all these variables to handle, you need a dynamic scanning solution that provides true automation to handle scheduling and IT maintenance windows, so you can “set it and forget it.” 

Recurring Scan Scheduling provides the ability to set up a schedule such that the application can be automatically scanned on a weekly, monthly, or quarterly cadence (or anything in between). Once the schedule has been set up, the dynamic scan will kick off automatically at the defined cadence. If the scan has been set up to start on a Tuesday, it will maintain that start day for the weekly scans to avoid running into weekends and holidays.

Automated Pause & Resume provides the ability to designate a maintenance window when the applications won’t be scanned. Dynamic scanning will be automatically paused when the IT maintenance window begins and automatically resume when the applications can be scanned. The pause and resume functionality has been built to ensure scanning resumes where it left off, with the goal of full coverage.

The screenshot below shows how to set up a weekly recurring scan that runs year round, pauses at midnight, and resumes at 4:00 AM each day.

  • Each week the application is dynamically scanned with the automated schedule and scan kick-off.
  • The system automatically pauses at the start of the maintenance window at 12:00 AM and resumes scanning at 4:00 AM.
  • You can adjust the duration based on the size of the application and the number of applications scanned in the batch to get the best coverage.

Recurring and Auto Pause Resume

Veracode Dynamic Schedule Summary

Authenticated Batch Scanning provides the ability to increase coverage by scanning behind the login screen, using a multitude of login mechanisms such as auto login, basic authentication, or uploading a login script. You can depend on the pre-scan feature to provide accurate feedback on the connection and authentication for the application under test, so you can fix any access issues ahead of the scheduled start time. In addition, a batch of scans can be kicked off at the same time to allow concurrent scanning with authentication. You save a lot of time when all applications can be concurrently scanned, with coverage for single page applications, modern frameworks such as Angular and ReactJS, and the ability to cover large web applications quickly.

Dynamic Analysis makes it easy to onboard applications and provides multiple input mechanisms. Uploading a CSV file is a quick way for large and small companies to take advantage of scanning applications concurrently.

Veracode Batch Scanning DAST

Veracode Dynamic Login Settings

Internal Scanning Management with Veracode Dynamic Analysis

There are many reasons for an application to live behind a firewall, beyond that it still in the development process waiting for test and quality assurance checks. Some applications are used for more sensitive financial operations and HR purposes, while others are used in highly regulated industries like healthcare and financial services. Even more simply, organizations use many applications internally and there is no reason for them to expose them externally. Historically, the enduser has had to install a Virtual Scan Appliance within their environment and send scan data through an insecure midpoint so the vendor can actually receive the data and return results.

Our Internal Scanning Management Feature takes a fresh approach to this challenge by offering a completely new, IT-compliant way to access these behind-the-firewall applications. Rather than using a Virtual Scan Appliance, or an on premise scanner that is difficult to maintain and does not scale, the Veracode Dynamic Analysis scanner continues to run in the cloud and uses the Secure Scanning Gateway. This gateway connection is completely controlled by the enduser. You can open the connection to scan your applications behind the firewall – and close the gateway whenever you’d like. This empowers you to not only scan applications that live behind the firewall, but to apply dynamic testing to applications in the Staging environment before they are pushed into production. Below is a screenshot with a gateway and endpoint from the Veracode Platform.

 

Show Me the Results: Consolidated View

Veracode Dynamic Analysis provides visibility into the scanning process to give you peace of mind and comprehensive results once the scanning is complete. The Veracode Platform’s Triage Flaw Viewer provides CWE details, vulnerability severity, along with request/response. In addition, the Platform provides reports to show scan coverage, summary reports for executives, and detailed reports for AppSec teams.

Veracode Dynamic Triage Flaw Viewer

The goal of dynamic scanning is to find exploitable vulnerabilities at runtime, and remediate the issues found. The Dynamic Flaw Inventory provides a dashboard that provides historical vulnerability information, allowing AppSec managers to track team progress toward fixing vulnerabilities. 

Dynamic Flaw Inventory Veracode

Veracode Dynamic Analysis gives you a solution to scan your entire portfolio of web applications with ease, provides accurate results, and puts you on the path to remediate the findings. Even if you are running static scans early in the SDLC, dynamically scanning your web application at runtime uncovers exploitable vulnerabilities that static scans won’t find. Use our dynamic scanning solution to find and remediate flaws before a hacker exploits the vulnerability, resulting in a breach.

I’d love to hear your feedback

Would Veracode Dynamic Analysis benefit your AppSec program and reduce the risk of a breach? I’d like to hear your thoughts. To learn more please download our whitepaper, "Reducing Your Risk of a Breach with Dynamic Analysis," or to schedule a demo now, click here.

Related Posts

By Bhavna Sarathy

Bhavna Sarathy is a Principal Product Manager for the Veracode Web Application Scanning product line. Bhavna was instrumental in building the new Veracode Dynamic Analysis as the lead Product Manager, translating vision to execution. Bhavna enjoys building new products that delight security-conscious customers, and is adept at driving cross-functional teams toward common product portfolio goals. Bhavna has 20+ years experience in IT commercial software and 8+ years in product management and strategy. Bhavna holds masters' degrees in Computer Science and Electrical Engineering from The Ohio State University.