Requesting a DynamicDS Scan

DynamicDS Quick Start

To request a DynamicDS scan:

  1. Create the application profile.
  2. Configure the DynamicDS scan parameters.
  3. Provide the login information.
  4. Provide optional crawl instructions.
  5. Enter advanced configuration options.
  6. Select a DynamicDS Scan Engine.
  7. Run the prescan.
  8. Schedule the scan and submit.

If you want to use login and crawl scripts, use Selenium IDE to record these scripts.

It is possible to rescan an application without going through the above steps again.

Preparing for a DynamicDS Scan

You must have the Creator, Submitter, or Security Lead roles to be able to request a scan. You also must have the respective permission for requesting aDynamicDS type of scan. To control the number of DynamicDS scans performed on applications, your organization can decide that the Security Lead must approve every DynamicDS scan that Creators or Submitters request. If you want to use this feature, contact your Veracode account manager or

Keep in mind the following points when preparing for a DynamicDS scan:

Validation of Connectivity
Veracode may access the URL and login credentials to validate connectivity prior to the start of the scan timeframe. If the site cannot be accessed until the start of the timeframe, state this fact in the special instructions section. No testing occurs until the identified scan timeframe begins.
Note: Veracode does not support the scanning of applications that require logging into a VPN.
72-hour Scan Timeframe
For maximum repeatability, the Veracode DynamicDS scan performs scan requests while logged in with a single session. Therefore, a test timeframe of at least 72 continuous hours is requested. The scan is likely to complete in less than 72 hours, but if it does not, Veracode returns the results of vulnerabilities found during the partial scan.
To ensure that a DynamicDS scan analyzes your high-priority links, contact Veracode Technical Support to either increase your scan timeframe or provide a crawl script that dictates the exact scan coverage.
Required Access to the Veracode IP Address Range
Your application must be accessible from the Veracode IP address range. This may require you to create a staging/test environment to host your application, make configuration changes to your firewall rules, and perform other IT activities. Contact Veracode Technical Support or your Technical Account Manager to address specific details of your environment, as you may need to resolve any issues on a case-by-case basis.
Estimated Time of Arrival Date
For DynamicDS scans, if Veracode reviews your results, the Veracode SLO delivers results within one complete business day after the scan timeframe has ended. For example, if your scan timeframe ends at 6:00pm on a Thursday, results may be available the next day. However, the estimated delivery date will be the following Monday to allow for a complete business day. If your results are not reviewed by Veracode, the estimated delivery date is on or before the conclusion of your requested scan timeframe.
Note: Veracode does not recommend configuring a DynamicDS scan using a login with administrative privileges. If administrative role testing is necessary, exclude any potentially damaging functionality from the scope of the scan by excluding the associated URLs.