Manage sandboxes

You can perform all sandbox management tasks in the Veracode Platform.

You can also manage sandboxes using the Development Sandbox REST API.

Create a sandbox

You can create a sandbox to provide a temporary store of your security analysis of an application.

Before you begin:

If you have the Sandbox User, Creator, Security Lead, or Sandbox Administrator role, you can create sandboxes.

note

The sandbox feature is not available to third-party vendors whose software we scan on behalf of an enterprise.

You access the Sandboxes page from the left navigation menu on the Application page. The Sandboxes page for each application contains two views:

• My Sandboxes
• Everyone's Sandboxes

Everyone who has access to this application and has the correct sandbox permissions can create sandboxes for the application. You can change the view between the list of all sandboxes and the list of only your sandboxes.

To complete this task:

1. Go to the application, select Sandboxes in the left navigation menu.
2. On the Sandboxes page, select Create Sandbox.
3. In the Create Sandbox window, enter the name of your new sandbox.
4. If you are in the time-to-live mode, to specify your preference when the sandbox expiration period starts, select the Automatically re-create this sandbox when the seven-day expiration period starts checkbox. Your new sandbox now appears in My Sandboxes and Everyone's Sandboxes lists.
5. To edit the sandbox name, select next to the name.
6. To go to the overview page for that sandbox, select the sandbox name in the list. The number of remaining sandboxes appears in the Sandboxes section of the Application page and on the Sandboxes page.

Start a sandbox scan

You can start a scan of an existing sandbox to measure the results against policy rules.

To complete this task:

1. To go to the overview page, from the list of sandboxes, select the required sandbox name.
2. Select Start a Scan, then select the scan type you want to run.
3. Follow the same procedures for running formal, policy scans.
4. To review which sandbox scans are still running and which have finished, from the left navigation of the application, under Sandbox Scans, select In Progress or Completed.

note

You can run a maximum of 10 concurrent sandbox scans. To view the number of scans currently running, open the profile for your application and select Sandboxes in the left navigation bar.

Review sandbox scan results

You can access the results from sandbox scans to review the findings.

Flaw matching occurs when you perform two scans of the same application. The Veracode Platform compares the results of the second scan to the first scan to identify any findings that might be identical between the two scans.

Before you begin:

If you have the Creator, Submitter, Reviewer, Security Lead, or Sandbox Administrator role, you can view sandboxes.

To complete this task:

1. From your application left navigation, select Sandbox Scans.
2. To go to the scan overview page for that scan, select the name of the scan. If you have an Enhanced Support subscription, you can select Schedule a Consultation on the Sandbox Results page to schedule a consultation call with a Veracode Application Security Consultant to help interpret the findings in your application.

Mitigating flaws in sandbox scans

You can mitigate flaws found in sandbox scans.

You can validate the security of your application using a development sandbox scan before you submit a policy scan that counts towards your policy compliance score. Alternatively, you have the option to promote a sandbox scan to a policy scan that counts toward your policy compliance score.

To view which flaws in your sandbox scan affect your policy, select the Fix for Policy filter in the Triage Flaws page of your scan results.

If you choose to use the promote functionality, designate one sandbox to use for promotion purposes. Apply all mitigations to the latest scan of the complete application and only promote the sandbox designated for promotion. When you are satisfied with the security posture of the application scanned in the designated development sandbox, you can promote the most recent development sandbox to policy.

You can create other sandboxes to test newer versions of your application or individual components of an application. However, we recommend that you do not promote these sandboxes.

When you promote a sandbox scan to a policy scan, you also promote any mitigations of flaws found in the sandbox scan, regardless of whether the mitigation status is proposed, rejected, or accepted. Sandbox scans inherit mitigations from previous scans of the same application. When you promote a sandbox scan, the mitigation status of each flaw in the promoted scan becomes the mitigation status of that policy scan.

Promote a sandbox scan

After completing a sandbox scan, you have the option to promote the sandbox scan to a policy scan that counts toward your policy compliance score. You can perform a sandbox scan as part of integration testing to validate the security of your application and, then, promote the sandbox scan to a policy scan.

We recommend that you designate one sandbox to test different versions of code or components of an application. To achieve policy compliance, apply all mitigations to the scan results designated for promotion. Then, only promote scans from this sandbox.

When you promote a sandbox scan to a policy scan, the Veracode Platform applies the score of that scan against the policy. You can have multiple sandboxes to scan the different components of your application. However, when you promote a sandbox scan, that scan must contain the entire application.

Sandbox scans of individual components of an application analyze only a small part of the application. These scans do not have the full context of the application. Scans can detect findings by analyzing the interaction between files or libraries.

note

Before promoting a scan, verify that you have uploaded all the modules of the full application.

Before you begin:

The sandbox scan you want to promote must meet these conditions:

• The scan is the most recent.
• The scan is no more than 60 days old.

To complete this task:

1. On the application overview page, from the left navigation, select Sandboxes.

2. Select the name of the sandbox you use for promotion.

3. Select the name of the most recent scan.

   note

   If the most recent scan is in progress or incomplete, you cannot promote an earlier scan from the same sandbox.

4. Select , then select Promote Scan.

5. If you want to delete this sandbox from your application upon promotion, select the Delete Associated Sandbox checkbox. Deleting the sandbox helps you avoid having an excessive number of sandboxes, which can make results difficult to review. The additional sandboxes count toward your sandbox limit.

6. Select Promote to promote the scan.

   After you promote the scan, it appears in the Policy Evaluation section of the application page and the list of completed policy scans. The name of the scan is appended with (Promoted) to indicate that you promoted it from a sandbox to a policy scan. All data exports include the flaw data from promoted sandbox scans. You can also view the flaw data in Veracode Analytics.

Results:

When promoting a scan, the scan shows the Promote in Progress status until the promotion finishes. The promotion might take some time, depending on the number of findings in the scan.

When performing a rescan of a promoted scan, the Veracode Platform resets the scan status to Promote in Progress until the rescan is complete.