Reducing Scan Times for Large, Workflow-Intensive, JavaScript-Driven Applications

DynamicDS and DynamicMP

Large web applications that are workflow-intensive, content-heavy, and rely heavily on JavaScript usually have the following characteristics:
  • Support large companies and provide varied solutions related to particular company's industry.
  • A single domain consists of multiple types of workflows in different areas of the website.
  • Involve a significant amount of user input.
  • Include workflows with multiple required steps, such as the checkout process on an online shopping application.

These types of applications are particularly complicated for the scan engine to analyze. If you want to reduce the scan times for these types of applications, Veracode recommends you perform the following configurations:

Create multiple application profiles for the application
If your application contains multiple categories of application, creating multiple application profiles allows you to limit individual DynamicDS scans to one type of application and configure the scan to most efficiently analyze that type. For example, you may want to create one profile for your content-heavy template pages, one for your SPAs or JavaScript-driven pages, and one for your workflow-intensive pages.

After you create the application profiles, configure the Target URL and Allowed Hosts fields in the scan configurations to include the appropriate category of page and enter the pages that link from the target URL but fit another category of page in the Exclude URLs field.

If the target URL for the application is the login page, you can use the same URL for each profile, but you must precisely configure the allowed hosts and excluded URLs.

Exclude third-party JavaScript content
Third-party JavaScript content consists of the JavaScript requests the application makes to URLs outside of the Allowed Hosts and Exclude URL lists, such as social media plugins, advertisements, and audio or video links. Excluding this content increases scan speed with very little impact on scan coverage. To exclude it, type Exclude third-party JavaScript content in the Special Instructions box in your DynamicDS scan parameters.
Audit only the highest-risk parameters
If you are only concerned with the highest-risk parameters exposed by the application, setting the Vulnerable Parameter Auditing to Audit only the highest risk parameters significantly reduces scan time. If you usually have this option enabled, Veracode recommends that you periodically perform a scan with the default setting of Audit Veracode-default parameters.