Scan APIs

Use Dynamic Analysis in the Veracode Platform, or using the REST API, to test the security of your REST API specifications or Postman Collections. You can also integrate the analysis with your development pipeline. The scans crawl and analyze the endpoints in an API specification file or the requests in a Postman Collection. The results identify the vulnerabilities you might need to resolve.

For an improved experience, we recommend using DAST. See the quickstart.

In the Veracode Platform, you create a Dynamic Analysis and upload or select the API specification or Postman Collection you want to analyze. An analysis can contain a maximum of 250 specifications. To learn about API specification support, see How we process API specifications.

If you want to scan an API but don't have an OpenAPI or Postman specification, you can create an HTTP Archive (HAR) file using a free tool, such as Chrome Developer Tools. To reduce extraneous traffic, such as third-party traffic, select Fetch/XHR to apply filtering before exporting the HAR.

Create an analysis

Create an analysis in the Veracode Platform to perform a Dynamic Analysis of the following:

• Endpoints in one or more API specifications.
• Requests in one or more Postman Collections.

You can also create an analysis using the REST API.

Before you begin:

• Ensure you meet the prerequisites.
• If scanning internal web applications or APIs, ensure you have set up your ISM gateway and endpoint.

note

You can only link one application profile to an API scan or web application scan. Also, you cannot use the same analysis for both API and web application scans.

To complete this task:

1. Sign in to the Veracode Platform.

2. Select Scans and Analysis > Dynamic Analysis.

3. Select Scan API Specifications. The Create page opens.

4. For Dynamic Analysis Name, enter a name for this analysis. Ensure the name is unique to your organization and provides a human-readable description of the analysis.

5. For API Specifications, select Options. Then, select to upload a new API specification to scan or select an existing API specification. You only need to upload a new specification one time, and it remains available to other analyses. The specification is also available on the API Specification Management tab on the Dynamic Analysis page.

6. For a new API specification, in the Upload API Specification window, select Choose File.

7. Locate and select a valid API specification file. If you do not enter a name for the API specification, by default, the Veracode Platform uses the filename of the uploaded specification. Depending on the size of your specification file, the upload might take several seconds to complete. Also, the Veracode Platform shows messages about any issues with the specification, such as unsupported file format, invalid syntax, or an issue with the relative URL.

   note

   • If you provide only an API specification without sample data, we use the defined schema to generate dummy test data. During prescan, we validate endpoints by capturing requests in a HAR file, substitute default values where examples are not defined, such as integers or strings, and iterate through operations to perform parameter-based testing and fuzzing around valid values.
   • If you include sample data, we use the provided request bodies during prescan to validate endpoints and construct requests. We then continue iterating through operations using the same parameter-based testing and fuzzing approach.

8. To add the specification to your analysis, select Add to Analysis. Your analysis is listed in the API Specifications to Scan table.

9. To add additional specifications to the same analysis, repeat steps 5-8.

10. To link the analysis and the scan results to an application profile, in the API Specifications to Scan table, in the Actions column, select Link . Then, select an application profile and select Link. The name of the linked application profile appears in the Application Name column.

11. Optionally, to configure a user agent string that the scanners add as a header to each API request, select Dynamic Analysis User Agent. For Browser, select one of the following:

    • API Scan Default: accept the default string. Veracode identifies as the originator of the scan with Veracode Security Scan/[email protected].
    • Custom: add your custom string to User Agent.

    Compared to the user agent string for web application scanning, this string does not include browser information. You can use this string to exempt Web Application Firewall (WAF) blocking or suppress pager notifications in an Intrusion Prevention System (IPS). For information about the solution for your organization, see your vendor documentation.

12. Optionally, under Visibility Settings, select which user roles or teams can access this analysis and the scan results.

13. Optionally, under Organization Information, enter information specific to your organization.

14. To certify that your organization has the required permissions to scan the specifications added to this analysis, under Scanning Certification, select the checkbox.

15. To schedule the analysis, including whether to run a prescan, select Schedule.

    By default, your Dynamic Analysis is not scheduled. To review the schedule of any Dynamic Analysis, select the clock icon in the row for that Dynamic Analysis on the All Dynamic Analyses page.

    To verify that Veracode can successfully reach and, if required, authenticate with the target API server, a prescan scans all endpoints or requests in the specification. If you do not want to schedule the analysis, select Review and Submit and Save. To review the schedule of any Dynamic Analysis, select the clock icon in the row for that Dynamic Analysis on the All Dynamic Analyses page.

    note

    Because Dynamic Analysis scans API specifications quickly, We recommend that you do not schedule the analysis to automatically pause and resume.

16. Configure and run the analysis.