Using the Developer Sandbox

Developer Sandbox

Developer sandboxes provide individual contributors and teams the ability to scan applications and measure the results against the policy rules without affecting the policy compliance of the entire application. Developers can create sandboxes within existing application profiles and submit the application code for analysis while still in development without affecting their ability to run a static or DynamicDS policy scan of the application. After completing a sandbox scan, you can promote that sandbox scan to a policy scan that counts toward your policy compliance score.

The purpose of this feature is to reduce application security risk by allowing developers to obtain feedback about their in-development applications without degrading the policy status and flaw metrics for the production versions of those applications. It is possible to analyze multiple revisions of the same application at the same time.

Users who have the Creator, Submitter, Reviewer, Security Lead, or Sandbox Administrator permissions can view sandboxes, and users who have the Creator, Security Lead, or Sandbox Administrator permissions can create sandboxes.
Note: The sandbox feature is not available to third-party vendors whose software Veracode is scanning on behalf of an enterprise customer.

Creating a Sandbox

To create a sandbox for an application, you must have the Creator, Security Lead, or Sandbox Administrator permissions.

Note: You can only run a maximum of five concurrent sandbox scans.

You access the Sandboxes page from the application's left navigation menu. The Sandboxes page for each application contains two views: My Sandboxes and Everyone's Sandboxes. Everyone who has access to this application and has the correct sandbox permissions can create sandboxes for the application, and you can change the view between the list of everyone's sandboxes and the list of only your sandboxes.

To create a sandbox:
  1. Go to the application and click Sandboxes in the left navigation menu.
  2. In the Sandboxes page, click Create Sandbox.
  3. In the Create Sandbox popup, enter the name of your new sandbox.

Your new sandbox now appears in the list of My Sandboxes, and also appears in the list of Everyone's Sandboxes. To edit the sandbox name, click the pencil icon next to the name

Click the sandbox name in the list to go to the overview page of that sandbox.

Starting a Sandbox Scan

Create and run sandbox scans on applications in development the same way as for policy scans on applications in production.

To start a sandbox scan:
  1. From the list of sandboxes, click the required sandbox name to go to the overview page.
  2. Click Scans & Analysis, and select the scan type you want to run.
  3. Follow the same procedures for running formal, policy scans.
  4. To review which sandbox scans are still running and which have finished, go to the left navigation menu of the application and under Sandbox Scans, click In Progress or Completed

If you run an excessive number of sandbox scans at the same time, you receive a notification that your scan is placed in a queue.

Reviewing the Sandbox Scan Queue

To ensure the timely delivery of policy-level scans, Veracode limits the number of concurrent sandbox scans that you can run for an application. Once you exceed this limit, all sandbox scans of that application are placed in a queue and run according to the order of that queue.

To view the scan in the sandbox scan queue, click Sandbox Scan Queue under the scan name on the Application Overview page.

The Sandbox Scan Queue appears, listing the names of the waiting scans, the users who requested the scans, and the date and time of the scan requests.

Reviewing Sandbox Scan Results

The results from sandbox scans are easily available from the left navigation menu.

To access the results of your sandbox scan:
  1. From your application left navigation menu, click Sandbox Scans.
  2. Click the name of the desired scan to go to the scan overview page of that scan.

    Note: If you have an Enhanced Support subscription, you can click Schedule a Consultation on the Sandbox Results page to schedule a consultation call with a Veracode Application Security Consultant to help interpret the findings in your application.

Flaw Matching in Sandbox Results

Veracode first compares the results of the most recent sandbox scan with those of previous scans in the same sandbox to match against any flaws that already exist. If no match is found, flaw-matching continues through to previous policy scans for that application. The flaws found in the most recent sandbox scan inherit the status of the matched flaws.