Preparing Your Web Application for a DynamicDS Scan

Getting Started Guide

The Veracode DynamicDS scan technology acts like an automated penetration tester, accessing your web application and trying to identify security vulnerabilities by assessing the functionality on the web pages.

When considering an application for Veracode DynamicDS scanning, keep in mind the following application technology and deployment factors.

Technology Considerations

Supported Web Technologies

  • Veracode supports any web application built using Java, ASP, ASP.NET, Ruby on Rails, JavaScript, Perl, PHP, Python or similar languages. In addition, Veracode provides limited support for Flash.
  • This web application must be publicly accessible through a URL or IP address.
  • Veracode can scan applications that listen on TCP ports 80, 443, and any port over 1024.
  • If an application is not publicly accessible, you must open the firewall to the IP address 192.157.28.60 to run Veracode DynamicDS scans.
  • If an application is not publicly accessible, you must open the firewall to the following IP addresses to run Discovery and DynamicMP scans, which originate from the following IP addresses:
    • 107.23.37.51 (for DynamicMP scans only)
    • 54.236.209.106 and 54.236.113.103 (for Discovery scans only)

Please contact your Veracode account manager or support@veracode.com for more details.

Unsupported Technologies

Veracode does not currently support:

  • Silverlight, Java applets, and ActiveX control technologies.
  • Flex applications or the Flex protocol, Action Message Format (AMF).
  • The testing of standalone web services and APIs (SOAP, RESTful, RPC, or other standards).
  • The following JavaScript frameworks: ReactJS and Angular versions 2 and later.

See the instructions for submitting an application for a Veracode DynamicDS scan for more information.

Items to Consider Before a Veracode DynamicDS Scan

Because some configurations prevent the Veracode DynamicDS scan from returning complete results, please note the recommendations below.

Required:

  • Provide domain(s) to be scanned during the account provisioning process.
  • Provide details on deployed security devices such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Web Application Firewall (WAF) etc. Disable active devices such as IPS and WAF to prevent the scan from being blocked.
  • For passive devices, notify administrators and hosting providers monitoring these systems to avoid false alarms.
  • Provide contact information for IT/administrator in case of escalation during the Veracode DynamicDS scan.
  • Provide valid user account if application requires authentication.
  • Provide details for single sign-on, if enabled.

Recommended:

  • Provide a staging environment since Veracode DynamicDS scans simulate user behavior, which is likely to cause data changes.
  • Define the scope of analysis using directory level restrictions and blacklist URLs.
Note: Dynamic analysis is not designed to perform any destructive actions such as deleting data, dropping of tables, or server shutdown.