Veracode Time-Boxed Manual Penetration Testing analyzes as much of the application as possible, within the number of days of the service you purchased. The Veracode Manual Penetration Testing team follows testing methodologies noted in the table here. Findings from Veracode Static Analysis and Dynamic Analysis scans that have been previously reported in the Veracode Platform are leveraged during Veracode Manual Penetration Testing.
In cases where time is constrained, Veracode focuses on providing the most value for the time allotted. For smaller applications, less time is required to cover a majority of vulnerabilities, while other larger applications may require additional time. For this reason, Veracode Penetration Testers may choose to customize the methodology to focus on high-priority, business-relevant flaws. For example, if a three-day penetration test is purchased for an application that is 500 pages or larger, with complex business logic, the tester may choose to focus more on finding representative examples of higher risk flaws such as injection, authentication, and authorization flaws. In contrast, if this were a ten-day penetration test, the tester would be able to review the entire methodology in more adequate depth.