Skip to main content

Configure Quick scan targets

On the Configure target page in the Veracode Platform for a Quick scan using Veracode DAST, you can configure in-depth settings for further fine-tuning your security scan. Especially the automation part is where you can use DAST to the fullest extent and get started on your continuous security testing journey (also referred to as "DevSecOps").

If your target uses Enterprise mode (Full scan), see the configuration options for web applications or APIs.

Access configuration settings

Before you begin:

You must have created a target you want to configure.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans & Analysis > DAST. The Target list page opens.
  3. Select a target, then select CONFIGURE.
  4. Select from the following tabs.

General

Update the target's name or URL. You can also select the team that can access the target and scan results, update the target's description, and link the scan results to an application profile.

Duration

Crawler mode

Adjust the crawler mode to define whether the smart crawling should try to detect forms that appear on multiple sites and only scan them once to reduce the scan duration.
You can choose between the following crawling methods:

  • The Smart Crawling mode tries to detect forms that appear on multiple sites (e.g. a search form) and only scans them once to reduce the scan duration. Depending on the implementation of your web application, this might reduce the scan coverage if an identical form appears on multiple sites but is processed differently. Choose the exhaustive crawling if this is the case.
  • The Exhaustive Crawling mode scans each detected form for vulnerabilities. Therefore, forms appearing on multiple sites are scanned each time individually. This might significantly increase the scan duration but can increase the detection rate.

Throttling

Adjust the throttling threshold to limit the maximum number of requests per second sent to scan your server. Consider that the threshold influences the scan duration and that certain scanners require a minimum threshold.

You can control and personalize the scanner speed. The crawler is a limiting factor for most scans, especially if scanning complex applications. As DAST attempts to get to every corner of your application, it works very thoroughly, which means sometimes it might take longer.

DAST provides several options for you to increase the speed of the scanner:

  1. Increase the throttle limit from 200 requests per second to a load your server can handle. Ensure you add the DAST IP addresses to the allowlist of your firewall.
  2. Reduce the scope of the scan. To block the scanners from scanning certain areas of your web application that might cause the crawler to run for a long time, such as forums or websites with several selectable elements, add the URLs for these areas to a list of blocked URLs.
  3. This option works well in combination with option 2. While having an auto-duplication in the scanner, it might be helpful to group certain areas and URLs of your web application together. This is especially important for extensive web applications with similar pages (e.g., online shops). The Grouped URLs can be configured in the target configuration.

Max scan duration

See Max scan duration

URL Configuration

Configure which URLs to include or exclude from scanning. See DAST URL Configuration.

Authentication

If your system is protected by authentication, you can specify the needed authentication to access the system.

HTTP Basic authentication

If HTTP basic authentication, or .htaccess protection, is enabled, add your credentials. See HTTP basic authentication.

Form-based authentication

For an analysis of a web application, if your application has a login form, add the sign-in URL and credentials. See Form-based authentication.

Parameter Authentication

Configure HTTP headers, GET parameters, local storage, session storage or cookies for authentication. You might use this authentication for scanning an API. See Parameter authentication.

Automation

Configure a scanning schedule for this target.

Integrations

Integrate this target with your development tools, such as CI/CD pipelines or ticketing systems.

For example, your build system can start a security scan automatically.

Select an integration and follow the instructions to create a webhook.

Notifications

Integrate this target with your chat tools, such as Slack.

For example, this target can notify you when an analysis is complete.

Select an integration and follow the instructions to create a webhook.

Last updated on