Appendix D: Frequently Asked Questions

Virtual Scan Appliance

The internal web applications of an organization are prone to vulnerabilities just as public-facing ones. To identify these internal vulnerabilities, Veracode offers an on-premise virtual appliance image that can be deployed within VMware.

What is a VSA?

The Veracode Virtual Scan Appliance (VSA) is a virtual appliance image that enables dynamic application scanning from inside the customer firewall. The VSA is a CentOS Virtual Machine (VM) that customers install in their datacenter or behind their firewall. To enable the VSA to perform DynamicDS web application scanning, the VSA is equipped with the same scan engine that is used in Veracode cloud-based DynamicDS scan service.

VSA Architecture

Veracode requires no special hardware; it is a package that customers download that is easy to configure and start using. The VSA is packaged as an Open Virtualization Archive (OVA), the industry standard for virtual appliances. Customers can deploy the VSA into the virtualization platform of their choice, including the free versions VMware Player or VMware ESX server. All that is needed is an SSL-encrypted outbound connection that communicates with Veracode.

The four major components of the VSA are:
  • VSA virtual machine - deployed on customer premise
  • Veracode jobservice - deployed in Veracode production center
  • Virtual appliance midpoint - deployed in the cloud
  • Yellowdog Updater, Modified (YUM) Repository - deployed in Veracode production center

VSA and Scan Operations

Dynamic web application security is an integral part of the Veracode Platform, enabling customers to fully test their applications using multiple assessment methods and access a single set of convergent results, ratings, and reports. Customers submit DynamicDS scan requests from the Veracode Platform, specifying which VSA group should scan the application. Each VSA scans one full site and one prescan at a time.

The jobservice queues job requests from the Veracode Platform and processes scan results. The VSA exchanges scan configuration, scan progress, and flaw information with the Job Service.

Each VSA can simultaneously prescan a web application while running a full scan of another. Each VSA can support up to one full scan and one prescan at a time. When planning your VSA deployment, you work with Veracode to determine how many VSAs to deploy to manage your desired scan volume. In addition, if your network has multiple sub-networks, you can deploy VSAs within each sub-network so that the applications you want to scan are accessible by one or more VSAs.