EASM quickstart

This quickstart guides you through running your first External Attack Surface Management (EASM) scan and sending discovered targets to DAST Essentials. Use EASM to identify, assess, and reduce risks across externally facing assets through continuous discovery, analysis, and integration with existing security workflows.

To run your first EASM scan, complete the following tasks:

• Meet the prerequisites
• Sign in to the Veracode Platform
• Access EASM
• Add items to the scan queue
• Start the scan
• Review the scan items
• Send discovered targets to DAST Essentials

Prerequisites

To complete this quickstart, ensure the following requirements are met:

• You have a Veracode user account in the Commercial or European Region with the Security Lead and Project Admin roles. If you need an account, contact your Veracode Administrator.
• The IP addresses, IP ranges, domains, FQDNs, or URLs that you add must not be behind a firewall.

Sign in to the Veracode Platform

To sign in to the Veracode Platform, use one of the following methods:

• If you have a new Veracode account, you received a welcome email containing a link to activate your account in the Veracode Platform. If you did not receive the welcome email, contact your Veracode Administrator.
• If you have an active Veracode account, sign in to the Veracode Platform using the domain for your region. If your organization uses a Single Sign-On (SSO) portal such as Okta, you can also access the Veracode Platform with SSO.

Access EASM

1. In the Veracode Platform, select Scans and Analysis > EASM.

Add items to scan queue

Add IP addresses, IP ranges, domains, FQDNs, or URLs to the scan queue. You can add items manually or upload a CSV file containing a list of items.

To complete this task:

1. Select the Settings icon .

2. In the Test scan workqueue tab, select ADD ITEM.

3. To add items, choose one of the following methods:

   • Add items manually: in the Name field, enter the IP address, IP range, domain, FQDN, or URL.
   • Upload a CSV file: select a CSV file from File Explorer. The file can contain a list of domains, FQDNs, URLs, or IP addresses. Use the provided template to ensure proper formatting. To download the template, in the pop-up window, select Click here to download an example file.

4. Select ADD. The items appear in the Items tab with default attributes. For example, each item is assigned a trust level from 0 to 100. This level indicates how confident EASM is that the asset belongs to your organization. Items that are manually added are automatically assigned a trust level of 100.

Start a scan

Scan your organization's assets using the items in the scan queue. The first scan runs with default settings. You can customize subsequent scans by changing the scan settings.

To complete this task:

1. Select the Run icon .
2. In the dropdown menu, for Scan Type, select New test. EASM starts a new scan using the existing work queue and generates an updated set of scan results.
3. Select the scan mode from the dropdown menu. To scan a specific item within the same domain, select Static. To scan all assets related to your organization, select Deep Discovery. The Deep Discovery scan provides a broader view of your organization's digital footprint.
4. Select LAUNCH SCAN.

Review scan items

After a scan completes, review the results in the Test scan workqueue tab of the Settings module. A sortable, filterable table lists all discovered items as your new work queue.

To complete this task:

1. Select the Settings icon.
2. In the Test scan workqueue tab, review the items in the table.
3. To view the trust score of an item, locate it in the table. In the Trust column, view the assigned score, which ranges from 1 to 100. The trust score indicates Veracode's confidence that the item belongs to your organization. Manually added items have a trust score of 100.
4. Review the items to ensure that all discovered items are associated with your organization. Items with a trust score above 50 are automatically included in scan results, and items with a trust score of 50 or lower are excluded. Use sort and filter to review items with a trust score above 50. Toggle off any items that don’t belong to your organization. Then, check items below 50 and toggle on those that belong to your organization. Update scans as needed.
5. To permanently remove items that are not needed, in the Actions column of the table, select delete icon . However, the items may reappear in the work queue if they are rediscovered in future scans.
6. To manually override the inclusion of an item in the scan results, locate it in the table. In the Use column, toggle the switch. After making manual changes, update the current test. To view insights from the scan results, go to the Dashboard.

Send discovered targets to DAST Essentials

After you identify suitable applications for DAST scanning, enroll them in the DAST Candidates security program.

To complete this task:

1. Select the dashboard icon .
2. At the top of the page, use the dropdown and select Things.
3. To refine the results, from the top-right corner, use the dropdown and select Applications. Applications suitable for DAST scans are displayed.
4. Review the discovered applications and evaluate the following attributes:
   • Determine whether the application is publicly accessible.
   • Identify the detected technologies, frameworks, and platforms in use.
   • Assess any existing security risks, vulnerabilities, or compliance concerns.
   • Evaluate the business criticality based on the domain or functionality.
5. To select the web applications that you want to scan with DAST Essentials, select the checkboxes in the corresponding rows.
6. At the top-right corner of the page, select EDIT SELECTED.
7. In the Bulk edit panel that appears, select Security program Onboarding > ONBOARD ITEM.
8. From the Select security program dropdown, select DAST Candidates. Configure any additional enrollment parameters if prompted.
9. Select ONBOARD ITEM.
10. Select the scan icon .
11. From the dropdown, select Update the current test.
12. Select Launch Scan. A notification confirms that the selected applications were sent to DAST Essentials. You can also view the status in the Sync status column.