The Veracode DynamicDS scan technology acts like an automated penetration tester, accessing your web application and trying to identify security vulnerabilities by assessing the functionality on the web pages.
When considering an application for Veracode DynamicDS scanning, keep in mind the following application technology and deployment factors.
Supported Web Technologies
- This web application must be publicly accessible through a URL or IP address.
- Veracode can scan applications that listen on TCP ports 80, 443, and any port over 1024.
- If an application is not publicly accessible, you must open the firewall to the IP
address 18.104.22.168 to run Veracode DynamicDS scans.
Alternatively, you can request an overview of the Veracode Virtual Scan Appliance (VSA). Contact Veracode for more information.
- If an application is not publicly accessible, you must open the firewall to the following IP addresses to run Discovery and DynamicMP scans, which originate from the following IP addresses:
- 22.214.171.124 (for DynamicMP scans only)
- 126.96.36.199 and 188.8.131.52 (for Discovery scans only)
Please contact your Veracode account manager or email@example.com for more details.
Veracode does not currently support:
- Silverlight, Java applets, and ActiveX control technologies.
- Flex applications or the Flex protocol, Action Message Format (AMF).
- The testing of standalone web services and APIs (SOAP, RESTful, RPC, or other standards).
See the instructions for submitting an application for a Veracode DynamicDS scan for more information.
Items to Consider Before a Veracode DynamicDS Scan
Because some configurations prevent the Veracode DynamicDS scan from returning complete results, please note the recommendations below.
- Provide domain(s) to be scanned during the account provisioning process.
- Provide details on deployed security devices such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Web Application Firewall (WAF) etc. Disable active devices such as IPS and WAF to prevent the scan from being blocked.
- For passive devices, notify administrators and hosting providers monitoring these systems to avoid false alarms.
- Provide contact information for IT/administrator in case of escalation during the Veracode DynamicDS scan.
- Provide valid user account if application requires authentication.
- Provide details for single sign-on, if enabled.
- Provide a staging environment since Veracode DynamicDS scans simulate user behavior, which is likely to cause data changes.
- Define the scope of analysis using directory level restrictions and blacklist URLs.