Skip to main content

Veracode DAST

Veracode DAST is a Dynamic Application Security Testing (DAST) solution that quickly assesses the security risks of your web applications and APIs.

DAST performs attacks against your web applications or APIs and mimics the actions of a hacker to identify possible attack vectors. The attacks won't harm your applications, and DAST will not delete any data or use any drop table commands.

DAST checks whether these attack vectors can be exploited, reports these risks as vulnerabilities, and provides guidance for you to mitigate or resolve these vulnerabilities and prevent future attacks.

To get started, see the DAST quickstart.

Benefits

You can use DAST to:

  • Gain comprehensive visibility into your application attack surface with DAST. It integrates with EASM to analyze web application perimeters and identify web applications within defined IP address ranges or known hosts.
  • Continuously scan for vulnerabilities and monitor flaws real-time.
  • Greater scan setup flexibility, including scanner selection and AI-Assisted Login capabilities for complex authentication.
  • Define and manage policies for securing your web applications and APIs.
  • View analysis results that you can use to make informed plans, communicate performance metrics, and produce the evidence necessary to meet regulatory requirements.
  • Work efficiently with a modern, intuitive user experience built for streamlined security workflows.

Prerequisites

Before using DAST, ensure you meet the prerequisites.

Preparing your assets for scanning

Ensure your web application or API is in a state where the scan won't interrupt service, and you can go back to a working state in case of any issues during the scan:

  • Ensure that you have permission to conduct a security scan against your application. Talk to all people concerned with the application, such as developers, product owners, or the infrastructure team.
  • Inform the monitoring team about the security scan so that no real alert is fired when the security scan starts.
  • When running invasive security scans, such as the Full scan scope, scan your application on a test or staging system instead of the production system.
  • Do a backup before the vulnerability scan so that you can roll back the system to a working state if needed.
  • Create a Test User for the vulnerability scan so that you separate the test data of the vulnerability scan and the other (test) data.

Discover assets

To discover your organization's web applications and APIs that you can scan with DAST, use Veracode EASM. EASM is integrated with DAST.

Access DAST

To access DAST, sign in to the Veracode Platform and select Scans & Analysis > DAST. Then, create an analysis.

You can also automate dynamic scanning tasks using the REST API. For additional testing coverage of your web applications and APIs, consider contacting Veracode to schedule penetration testing on your assets.

Scan scope

The scan scope defines the vulnerability scanners that run during scanning. DAST provides two scan scopes: Quick scan and Full scan (Enterprise mode).

note

We recommend only running Full scans on a dedicated staging or test system, and not on live or production applications.

Quick scan

A Quick scan only runs non-invasive scanners to scan your infrastructure, including SSL/TLS configurations, fingerprinting, ports, and HTTP headers.

To change the selected scanners, configure the target and select the Scanners tab.

You can safely run Quick scans in production or live environments, and the scans typically take approximately two to five minutes to complete.

To run a Quick scan, see the DAST quickstart.

Full scan

note

Veracode is deprecating Full scan as part of a transition to Enterprise mode to improve performance. Existing targets can still run Full scan, but new targets will use Quick scan or Enterprise mode instead.

A Full scan is an invasive scan that runs all DAST scanners. This means a Full scan will be a load on your system.

A Full scan typically completes in four hours or less, but the scan might take longer if you have an extensive application.

Important

Because security scanners can decrease performance or impact live data for productive systems, we recommend Full scans for test or developer systems only.

To change the selected scanners, configure the target.

To limit the number of scan requests, adjust the Throttling setting.

Factors that affect scan times

Several factors can increase the time it takes for scans to complete, such as:

  • The number and types of scanners run.
  • The number of found attack vectors.
  • Network performance.
  • The number of web pages or API endpoints.
  • The amount of content on each web page.
  • The target configuration, such as the settings on the Duration and URL Configuration tabs on the Configure target page.
  • The crawler can't group the paths to the pages due to their complex structure. To avoid this issue, configure the target and add URLs to the Blocked URLs section on the URL Configuration tab. This reduces the scan scope before starting the scan.

If your web application or API is relatively small, and scans take a long time to complete, you might need to contact Veracode Technical Support.

Scan internal web apps and APIs

To analyze web applications and APIs behind a firewall, set up Internal Scanning Management (ISM).

Last updated on