Requesting a DynamicDS Scan

DynamicDS and DynamicMP

To request a DynamicDS scan:

  1. Create the application profile.
  2. Configure the DynamicDS scan parameters.
  3. Provide the login information.
  4. Provide optional crawl instructions.
  5. Enter advanced configuration options.
  6. Select a DynamicDS Scan Engine.
  7. Run the prescan.
  8. Schedule the scan and submit.

If you want to use login and crawl scripts, please use Selenium IDE or Kantu for Chrome for recording login and crawl scripts.

It is possible to rescan an application without going through the above steps again.

Preparing for a DynamicDS Scan

You must have the Creator, Submitter, or Security Lead roles to be able to request a scan. You also must have the respective permission for requesting aDynamicDS type of scan. To control the number of DynamicDS scans performed on applications, your organization can decide that the Security Lead must approve every DynamicDS scan that Creators or Submitters request. If you want to use this feature, please contact your Veracode account manager or support@veracode.com.

Keep in mind the following points when preparing for a DynamicDS scan:

  • Validation of connectivity: Please note that Veracode may access the URL and login credentials to validate connectivity prior to the start of the scan timeframe. If the site cannot/should not be accessed until the start of the timeframe, please state this in the special instructions section. No testing occurs until the identified scan timeframe begins.
    Note: Veracode does not support the scanning of applications that require logging into a customer VPN.
  • 72-hour scan timeframe: For maximum repeatability, the Veracode DynamicDS scan performs scan requests while logged in with a single session, therefore, a test timeframe of at least 72 continuous hours is requested. The scan is likely to complete in less than 72 hours, however, if the scan does not finish in the allotted test timeframe, Veracode returns the results of vulnerabilities found during the partial scan. To ensure a DynamicDS scan analyzes your high priority links, contact Veracode Technical Support to increase your scan timeframe, or provide a crawl script that dictates the exact scan coverage.
  • Required access to the Veracode IP address range: Please be aware that to be scanned, your application must be accessible from the Veracode IP address range. This may require creating a staging/test environment to host your application, make configuration changes to your firewall rules, and perform other IT activities. Please contact Veracode Support or your Technical Account Manager to address specific details of your environment as you may need to resolve any issues on a case-by-case basis.
  • Estimated time of arrival date: For DynamicDS scans, if Veracode reviews your results, the Veracode SLO is to deliver results within one complete business day after the scan timeframe has ended. For example, if your scan timeframe ends at 6:00pm on a Thursday, results may be available the next day. However, the estimated delivery date will be the following Monday to allow for a complete business day. If your results are not reviewed by Veracode, the estimated delivery date is on or before the conclusion of your requested scan timeframe.
Note: Veracode does not recommend configuring a DynamicDS scan using a login with administrative privileges. If administrative role testing is necessary, please exclude any potentially damaging functionality from the scope of the scan by excluding the associated URLs.