ISM setup best practices
Consider the following best practices when using ISM gateways and endpoints.
ISM gateways
When setting up and using ISM, we recommend complying with the following best practices for managing your gateway.
Add endpoints to the same gateway
A single gateway is sufficient for connecting all of your endpoints to the Veracode cloud for scanning. There are no performance benefits to using multiple gateways.
If the endpoint cannot connect to the gateway, allow the gateway IP address
If an endpoint fails to connect to your gateway after installing the endpoint, your organization might need to add the gateway IP address to your allowlist.
Monitor emails from Veracode about your gateway
Veracode sends an email notifying you if your gateway goes offline and comes back online. If you have an analysis in progress when the gateway goes offline, you need to restart them when it comes back online.
You can also monitor the status of your gateway by opening ISM in the Veracode Platform.
ISM endpoints
When setting up and using ISM, we recommend complying with the following best practices for managing your endpoints.
Follow hardening practices
Keep endpoint versions current and secure all credentials. Restrict network access wherever possible.
Use diagnostics and logs
Before you run a scan, review ISM logs or use the diagnostic tool to confirm connectivity and readiness.
Install one endpoint in each network in which you want to scan
We recommend installing one endpoint in each network in which you scan your internal applications or APIs. For example, if you have applications deployed in multiple data centers, you install a unique endpoint for each data center.
Each endpoint is capable of supporting at least 30 concurrent scans, though a strong network connection and powerful server can improve this capability. If you reach or approach the limit to the capability of your endpoint machine, a LOG.info message about thread limits or an OutOfMemoryError message about Java memory might appear in the endpoint logs.
Scans wait in a queue only when you reach your scan capacity.
Deploy endpoints close to targets
Install ISM in the same data center or VPC as the application to reduce latency.
Example: If your application runs in AWS us-east-1, deploy the ISM endpoint in the same region.
Install endpoints with the endpoint installer
On Windows and Linux, the endpoint installer simplifies the installation process and creates a service that continuously runs the endpoint.
For manual installations, run endpoints as a service
If you manually install an endpoint, configure your machine to run the endpoint as a service.
Install endpoints close to the targets
To minimize network latency, install your endpoints in close proximity to the applications or REST APIs you plan to scan with the endpoint.
Do not try to install the same endpoint in multiple networks
You encounter an error if you attempt to run the same endpoint in more than one network. Create a new endpoint for each network in which you scan internal applications or REST APIs.
If an endpoint goes offline, restart it
- Windows machines: Open the Services application from the Windows start menu, find the Veracode_ISM service, and select Start the service or Restart the service.
- Linux machines: From the command line, enter
service Veracode_ISM statusto get the status of the ISM service. If it is running, enterservice Veracode_ISM stopto stop it. After it stops, enterservice Veracode_ISM startto start it. - Manual installations: Restart the endpoint JAR file from the command line.
If the endpoint does not come back online, contact Veracode Technical Support.
Monitor emails you receive from Veracode about your endpoints
Veracode sends an email notifying you when an endpoint goes offline and comes back online. In cases where an inconsistent network connection causes your endpoint to become unstable, repeatedly switching between online and offline, you receive a single email alerting you of the instability. After you receive the endpoint instability email, Veracode suspends notifications about the endpoint for 24 hours to avoid sending redundant email alerts.
You can also monitor the status of your endpoints on the gateway page of the Veracode Platform.