Requesting a Third-Party Application Scan

Third-Party Application Security Testing

Requesting a Third-Party Application Scan

To request vendors or third-party providers to upload their code for scanning to the Veracode Platform, you must perform the following steps:

Creating a Third-party Application

You must create an application profile for a new application that has not been scanned before. The application profile describes your application and who can submit a scan request for it. In addition, the application profile provides metadata that is used to compute the application's score and report results across all applications.

  1. Click Add Application on the Applications page to begin creating the application.
  2. Enter the name of the third-party application and, optionally, a description and tags separated by commas. If the tag name includes a comma, surround the tag with quotation marks. If you have used tags before for other applications, these are available for you to select.
  3. Enter the Business Criticality of this application to your organization. The business criticality determines the default policy for the application. You can change the business criticality later, if necessary, by editing the profile.
  4. Select a policy from the dropdown menu if you do not want to use the default policy.
  5. Select the business unit that manages this application. If the business unit does not yet exist in the menu, click Add a Business Unit and create it.
  6. Enter the name and email address of the business owner who is responsible for this application.
  7. Select who has visibility of the application scanning results. You can give visibility to teams of users and change these selections at any time by editing the profile.
  8. In the Submission of Scan Data section, select a vendor account that you want to be able to submit scan requests. If you want the vendor to be able to rescan applications without informing you or publishing data to you first, select Enable Vendor Rescanning. After you select this option, vendors can click the Rescan button without creating a new scan request.
  9. Select a vendor from the dropdown menu, or request a new vendor.
  10. If available to your organization, there is a DynamicDS scan approval option where you can control the DynamicDS scanning on this application by selecting This application requires approval for each DynamicDS scan. This feature implements an approval process where all DynamicDS scan requests enter a queue and the person who has the Security Lead role must approve each request.
  11. Click Save and Continue.
  12. Optionally, provide the following metadata or edit the profile later to add more details:
    Origin
    identify where the application originated, e.g. from a third-party library or internal development.
    Industry
    select the industry of your company.
    Application Purpose
    identify how you use the application, e.g. for security or software development
    Deployment Method
    identify how the application usually deploys, e.g. web-based, third-party vendor
    Archer Application Name
    this field, available only for users with the Security Lead role, enables you to set a custom name for the application in the Archer data feed.
    Custom metadata
    Use the custom fields to add any other metadata with which you want to track or analyze this application.
  13. Click Save & Continue to save the profile information.

Veracode then contacts the vendor to begin the provisioning process. Once the vendor has been provisioned (or associated with your account), the scan request is sent to the vendor you selected for fulfillment. You can check the status of the scan as it progresses.



Requesting a New Vendor

If the vendor is not already on the Veracode Platform, or has not been associated with your account, you can request them as a new vendor:

  1. Click the Request New Vendor link.
  2. Fill out all required fields for the vendor.
    Note: You must provide a primary point of contact for the vendor.
  3. Click OK.

Requesting a Third-party Scan

After creating a third-party application, you can then request a scan of that application. From the Application Overview, click Scans and Analysis and select the scan type you want to perform. Keep in mind that if you do not see the scan type you want, it is possible that a scan of that type is already in progress or that scan type is not authorized.

After you request the scan, the status in the Application Overview of the application is Request In Progress.