Veracode Manual Penetration Testing
Veracode Manual Penetration Testing (MPT) involves Veracode's human security testers (penetration testers, or pentesters) attacking your live, in production applications and infrastructures to test the security of these assets.
Testers perform an initial test of your application or infrastructures to identify the first set of MPT findings, and then retest these assets to identify newly introduced findings, and to update the status of findings from previous tests.
Testers use these attacks to understand the design and functionality of the assets, complex authorization processes, and business logic requirements that computing systems might not be able to replicate today.
Key benefits
Penetration testing provides the following benefits.
- Identifies design flaws.
- Evaluates environmental conditions.
- Exploits vulnerabilities.
- Leverages combinations of lower impact flaws in code into higher impact vulnerabilities in the live applications.
- Determines if identified findings affect the confidentiality, integrity, or availability (CIA) of the asset.
Request penetration testing
To request Manual Penetration Testing (MPT), contact your Veracode account manager or sales team.
To ensure maximum coverage from your security program, we recommend that your organization use MPT tests in conjunction with other automated security assessments, such as Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis (SCA), and Container Security.
The test results provide details about the detected security findings and are available to your organization from the Veracode Platform.
DevOps Penetration Testing
In addition to performing manual testing of an application, you can request Veracode DevOps Penetration Testing to test the following assets.
These tests meet PCI DSS 11.3 and GDPR Article 32 compliance requirements.
Infrastructure
Veracode uses Open Source Intelligence (OSINT) techniques to find vulnerabilities in the following infrastructure components.
- Datacenter attack surfaces (proprietary or cloud-based) including:
- Architecture that hosts applications
- Border-security devices
- Communication systems (PBX, and routing)
- Unknown, or rogue, servers or services
- Microservices and related interactions
- Searches for major sources of data leaks and breaches, such as:
- Misconfigured AWS S3 buckets
- Exposed MongoDB instances
- Elasticsearch databases
Operations
Veracode uses Open Source Intelligence (OSINT) techniques to conduct GitHub repository and Stackoverflow analysis of the following.
- Exposed credentials
- Exposed sensitive data related to application development
- Job boards
- Information vulnerable to targeted phishing or social engineering attacks on developers and the organization
- Other potential problem areas
Time-boxed Penetration Testing
In some situations, timing restraints, budgetary considerations, or strategic planning purposes might require that you limit the level of effort for penetration testing.
When you need results fast, Veracode Time-boxed Testing focuses on providing the most value for your time. You can choose to customize MPT to focus on high-priority, business-relevant flaws. For example, you may choose to focus on finding examples of higher risk flaws such as injection, authentication, and authorization flaws.
Review the test results
Veracode MPT test results provide the findings (flaws) identified in your applications and infrastructures, and are available from the Veracode Platform after each test is complete.
The Veracode Platform can generate a report that includes manual assessment results from MPT scans or code reviews. These results differ from the results of automated scans in several important ways, including objectives, attack values, and common attack patterns.
Because discovered findings, and their status, such as Open, Closed, or Resolved, can change between scans, you might need to correlate related flaws for the same application between scans. See MPT Flaw Matching.
Using the Veracode Platform
- The Results page for a scanned asset.
- Veracode Analytics
- Veracode Reports