Best practices for a Dynamic Analysis of web applications
This section provides best practices that Veracode recommends you follow to configure and use Dynamic Analysis to test the security of your web applications.
Authenticated analysis considerations
Access to a web application typically requires one or more authentication methods. Veracode Dynamic Analysis supports several authentication methods for an authenticated analysis. To avoid scan failures or scan results with little or no coverage when scanning authenticated sites, Veracode recommends the following best practices.
User credentials for scans
Veracode recommends that you configure test credentials that you use specifically for security testing. Do not use personal, real user credentials because the crawler uses them to sign in and test the target site.
Use a credentials variable and login script
To protect and update the user credentials without needing to periodically modify the configuration of your dynamic analysis, consider using a credentials variable and a login script with the REST API.
Disable password lockout
The scanner uses various sign-in methods and authentication combinations to access your site, so you do not want a lockout to occur during scanning. If you have a site that disables a user password after a certain number of failed sign-in attempts, Veracode recommends that you disable this lockout option if possible.
Suppress password resets
For a web application, pages that support personalized logins often display a reset password link or input. To prevent the scanner from resetting the password during an analysis, Veracode recommends that you prevent the scan from interacting with this feature. If you know the URL for the password reset feature, you can add the URL to a blocklist to prevent the scanner from accessing the related link.
Disable multifactor authentication
Veracode designed Dynamic Analysis to run with little to no user interaction. If your site uses a multi-factor authentication (MFA) token, it does not notify you when you need to enter that token during scanning. If your organization allows it, Veracode recommends that you disable MFA for the specific test user account that the scanner uses to access the site. With MFA disabled, the scanner can sign in and sign out of the site multiple times without encountering a lockout.
Reduce network latency
The responsiveness of the target web application can increase the duration of the Dynamic Analysis scan. To reduce network latency during scanning, consider the following configurations when planning a Dynamic Analysis.
- Schedule the scan to run during low load-times so that the site can respond quicker to the many requests from the Dynamic Analysis. Compared to a human user that might interact once with one component of the web application, a Dynamic Analysis sends multiple requests to the same component as it performs tests.
- If you are using Veracode Internal Scanning Management (ISM), install the ISM endpoint close to the target web application to minimize the number of hops between the Dynamic Analysis requests and the application. For example, install the endpoint in the same datacenter or network segment as the target application.
Optimize Dynamic Analysis scans
Dynamic Analysis assumes that your target web applications use the supported technologies and are operating under normal network conditions. However, there are factors that might impact scan speed, overall performance of the Dynamic Analysis, and the results. The following best practices explain how to use the Coverage Report from a Dynamic Analysis to identify potential performance issues, resolve them, and get the results you want.
Run an initial analysis to assess your site
Veracode recommends that you run the first analysis of a new web application without setting any limitations that might influence the scan coverage and affect the results. You can use the first scan as a reconnaissance analysis, where it can freely explore your web application and populate the Coverage Report with as much detail as possible.
After completing the initial analysis, you can review the Coverage Report for the web application. The report provides detailed analytics and patterns of behavior that you can use to optimize the scan configuration.
Third-party traffic to your site does not impact the scan time. If you notice scan latency or longer scan times, contact Veracode Technical Support.
For additional information on reducing scan times for web applications, see this Community article.
Minimize duplicate content
Veracode Dynamic Analysis includes a Similarity Threshold option that automatically performs redundancy checks to identify similar, or redundant, content across all pages of a web application. However, some web applications might also create content in certain ways, such as generating content based on user interaction, but only a human can determine whether the same code functionality generated that content.
You can review the Coverage Report to determine if your web application contains similar content that you can exclude from scanning. You can also adjust the Similarity Threshold to control the level of these redundancy checks.
Exclude URLs that point to similar content
The Coverage Report provides a list of all scanned URLs. If these URLs point to web applications with similar content, you can use the URL-Specific Allowlist and Blocklist option to exclude these URLs from scans. Excluding similar content can improve the scan results and reduce scan time.
Exclude links to tracking sites and ad servers
You might have web applications that link to external ad servers or trackers that track user behavior. Teams, such as Marketing, within your organization use the analytics and other useful information from these trackers to learn about your users. A Dynamic Analysis scan does not crawl these links, but it loads them to ensure the web application has all required third-party resources for the analysis. If the application contains several links, the load time might increase the scan time. These links also appear in the Coverage Report, under Ignored URLs. To exclude these links from your Coverage Report and, depending on the number of links, reduce the scan time, add them to your blocklist.
You can review the Coverage Report to identify links to trackers and use the URL-Specific Allowlist and Blocklist option to exclude these links from scans.
Exclude links to disruptive areas of the web application
A web application might expose links that provide access to areas of the application for deleting application data, or deleting or resetting user accounts. These links are typically accessible to users with high-level permissions, can disrupt scans, and can affect the results.
To ensure the test user account for Dynamic Analysis scans cannot access these areas of the application, either disable the appropriate permission on the account or use the URL-Specific Allowlist and Blocklist option to block access.
Expand the scope of the scan
If the scope of your scan configuration is too narrow, it can miss areas of the web application that contain vulnerabilities.
Include subdomains
If your web application has subdomains that require security testing, ensure you add the URLs for these subdomains to the allowlist. During scanning, the crawler can use the URLs to transition from one subdomain to the next without running into access issues. When you include all required subdomains in the same scan, you can generate a single report for the entire web application.
Include directories and subdirectories
If the content of a web application is organized by directories on the same root domain, configure the Directory Restrictions options to specify the directories and subdirectories you want to scan.