Veracode Dynamic Analysis is a Dynamic Application Security Testing (DAST) solution that delivers an automated and scalable dynamic scanning capability that enables broad coverage at speed. You can analyze both web applications and REST APIs.
Veracode Dynamic Analysis interacts with the target web application or API like an attacker. It crawls your web application URLs or API endpoints to understand the architecture. For example, for web applications this includes links, text, form fills, and other page elements with which users can interact. It also checks attack points that are less visible to the user, such as header values, cookies, and URL parameters. The scan engine then audits the objects and attributes that the crawler discovered, and sends attacks, such as Cross-Site Scripting and SQL Injection, to these objects and attributes to identify exploitable vulnerabilities.
Because modern web applications are complex and full of features and functionality, a dynamic analysis crawler not only needs to interact with the application in the desired way, but also exercise each part of the application with payloads that test for vulnerabilities. More complex web applications require more requests and permutations of tests, which can increase the testing time.
Veracode strongly recommends that you scan all internet-facing and internal web applications or APIs to detect common vulnerabilities. For example, if an attacker compromises internet-facing web applications or APIs, they could gain access to internal web applications or APIs, exploit any vulnerabilities, and cause further damage to your organization.
You can use Dynamic Analysis to:
- Run security tests on live web applications and APIs in the late stages of development, such as test or quality assurance, or in production. The impact on web applications or APIs in production is minimal.
-
Run analyses that are authenticated or unauthenticated. The web applications or APIs can be internal to your organization or accessible to the public internet. Review the best practices for web applications. For analysis of web applications, see the following sections:
-
Use Selenium to create crawl scripts of recorded actions to take on web applications. You can customize these scripts to test specific features and components of a web application. Review the best practices.
- Define and manage policies for securing your web applications and APIs. Link the results to an application profile to evaluate them against your policies.
- Generate reports of analysis results that you can use to make informed plans, communicate performance metrics, and produce the evidence necessary to meet regulatory requirements.
You access Dynamic Analysis from the Veracode Platform. Veracode also provides Dynamic Analysis REST APIs to automate dynamic scanning tasks. For additional testing coverage of your web applications and APIs, consider contacting Veracode to schedule Manual Penetration Testing of your sites.
Veracode Dynamic Analysis integrates with Veracode Discovery, which analyzes web application perimeters and searches for web applications within a defined IP address range or list of known hosts. Veracode also provides Veracode Internal Scanning Management (ISM) to access web applications and APIs behind a firewall.