Production-safe Testing

Getting Started Guide

The Veracode DynamicDS scan engine is designed to test production web applications with minimal impact, and uses testing approaches that do not harm the site or accidentally delete data. For example, the Veracode SQL injection test patterns use timing-based methods that append to the existing query without altering its logic. In addition, the XSS test strings inject JavaScript that is benign and does not execute outside the embedded browser used by the Veracode dynamic scan engine.

A small number of applications may experience issues during DynamicDS scanning, which is something that typically happens when a legacy application is not capable of supporting a moderate amount of traffic or when an application contains user input forms with CAPTCHA controls. Forms that lack input validation may be associated to business logic that generates email notifications or tickets. In these cases, the activity generated by the Veracode DynamicDS scan engine can reduce the availability of applications or generate redundant test data. For these reasons, Veracode recommends notifying key application owners prior to performing scans.