Scan web applications and APIs

Veracode Dynamic Analysis is a Dynamic Application Security Testing (DAST) solution that delivers an automated and scalable dynamic scanning capability that enables broad coverage at speed. You can use the Veracode Platform to analyze both web applications and REST APIs.

You can also run an analysis with DAST Essentials. See the quickstart.

Veracode Dynamic Analysis interacts with the target web application or API like an attacker. It crawls your web application URLs or API endpoints to understand the architecture. For example, for web applications this includes links, text, form fills, and other page elements with which users can interact. It also checks attack points that are less visible to the user, such as header values, cookies, and URL parameters. The scan engine then audits the objects and attributes that the crawler discovered, and sends attacks, such as Cross-Site Scripting and SQL Injection, to these objects and attributes to identify exploitable vulnerabilities.

Because modern web applications are complex and full of features and functionality, a dynamic analysis crawler not only needs to interact with the application in the desired way, but also exercise each part of the application with payloads that test for vulnerabilities. More complex web applications require more requests and permutations of tests, which can increase the testing time.

Veracode strongly recommends that you scan all internet-facing and internal web applications or APIs to detect common vulnerabilities. For example, if an attacker compromises internet-facing web applications or APIs, they could gain access to internal web applications or APIs, exploit any vulnerabilities, and cause further damage to your organization.

Dynamic Analysis workflow

The Dynamic Analysis workflow for scanning web applications or API specifications consists of steps to configure the scan, run the scan, and view the results.

Dynamic Analysis benefits

You can use Dynamic Analysis to:

• Run security tests on live web applications and APIs in the late stages of development, such as test or quality assurance, or in production. The impact on web applications or APIs in production is minimal.
• Run analyses that are authenticated or unauthenticated. The web applications or APIs can be internal to your organization or accessible to the public internet. Review the best practices for web applications. For analysis of web applications, see the following sections:
  • Run an authenticated Dynamic Analysis of a web application
  • Run an unauthenticated Dynamic Analysis of a web application
  • Configure a Dynamic Analysis for an internal web application
• Use Selenium to create crawl scripts of recorded actions to take on web applications. You can customize these scripts to test specific features and components of a web application. Review the best practices.
• Define and manage policies for securing your web applications and APIs. Link the results to an application profile to evaluate them against your policies.
• Generate reports of analysis results that you can use to make informed plans, communicate performance metrics, and produce the evidence necessary to meet regulatory requirements.

You access Dynamic Analysis from the Veracode Platform or use the REST API to automate dynamic scanning tasks. For additional testing coverage of your web applications and APIs, consider contacting Veracode to schedule penetration testing of your sites.

Veracode Dynamic Analysis integrates with Veracode Discovery, which analyzes web application perimeters and searches for web applications within a defined IP address range or list of known hosts. Veracode also provides Veracode Internal Scanning Management (ISM) to access web applications and APIs behind a firewall.

Prerequisites

Before starting a Veracode Dynamic Analysis, you must meet the following prerequisites. For an analysis of a web application, Veracode strongly recommends that you review the best practices.

• Provide access to the Veracode IP address: to enable Veracode to perform scans, your web applications or APIs must be accessible from the domain for your region. This access may require creating a staging or test environment to host your application or APIs, making configuration changes to your firewall rules, and performing other IT activities. When running a Dynamic Analysis, you see traffic coming from the IP address for your region domain. Therefore, you must add the IP address to your allowlist.
• Verify connectivity: ensure the target URLs you want to scan are externally accessible and, if your site requires authentication, the login and password for accessing the websites are correct. If you configured authentication, after you submit the scan Veracode performs a connection and login verification. If you use login scripting, ensure the credentials are valid. Review the best practices for an authenticated analysis.
• Verify site availability: ensure the target web applications or APIs are active and available to Veracode for scanning. Dynamic Analysis can tolerate occasional outages or downtimes that occur 1-5 times during scanning. Excessive outages, operations within a maintenance window, or if the analysis loses its connection to Internal Scanning Management (ISM) during scanning, can cause the analysis to fail.
• Verify user roles: you must have the Creator, Submitter, or Security Lead role to be able to create, configure, or submit a Dynamic Analysis. Any member of the team associated with the Dynamic Analysis is able to view the analysis and its results.
• Confirm supported technologies: ensure your sites use technologies that Dynamic Analysis supports.

To address any details specific to your organization, contact Veracode Technical Support or your Veracode account manager.

Supported technologies for Dynamic Analysis

This list of technologies helps you understand what Dynamic Analysis supports before you try to perform an analysis.

Supported technologies

Dynamic Analysis supports the following technologies:

• Web applications that you access using a browser-based user interface.
• Web applications that render on the Chromium Engine and use the standard DOM API.
• Web applications built using Java, ASP, ASP.NET, Ruby on Rails, JavaScript, Perl, PHP, Python, or similar languages.
• Single-page (SPA) and HTML5 applications.
• Web applications built with Angular, React, and Vue.js frameworks.
• REST APIs.

Unsupported technologies

Dynamic Analysis does not support the following technologies:

• Desktop or mobile applications.
• SOAP APIs.
• Silverlight, Java applets, Adobe Flash, and ActiveX controls.
• Sites with complex business logic that are unsuitable for automation using crawl scripts.
• Sites that only support connections using TLS 1.0.
• Sites that only run in Internet Explorer or Microsoft Edge.

Dynamic Analysis scan capacity

The scan capacity subscription you purchase from Veracode determines the concurrent scan capacity at which you can perform Dynamic Analysis scans.

Your scan capacity is indicated on the Dynamic Analysis Scans summary page.

After you configure and submit a Dynamic Analysis, the availability of scan engines determines if scans of the URL configurations run concurrently or if they are queued until capacity becomes available. You can review the status of your scans in the Status column in the All Dynamic Analysis Scans table.

Dynamic Analysis production-safe testing

The Veracode Dynamic Analysis scan engine is designed to test production web applications or APIs with minimal impact. It uses testing approaches that do not harm or accidentally delete any data on the target website or API server. For example, the Veracode SQL injection test patterns use timing-based methods that append to the existing query without altering its logic. In addition, the XSS test strings inject JavaScript that is benign and does not execute outside the embedded browser used by the Dynamic Analysis scan engine.

A small number of applications may experience issues during Dynamic Analysis scanning, which typically happens when a legacy application is not capable of supporting a moderate amount of traffic or when an application contains user input forms with CAPTCHA controls. Forms that lack input validation may be associated to business logic that generates email notifications or tickets. In these cases, the activity generated by the Dynamic Analysis scan engine can reduce the availability of applications or generate redundant test data. For these reasons, Veracode recommends notifying the application owners that are responsible for its management prior to performing scans.