Request manual penetration testing
You can request Manual Penetration Testing (MPT) to have Veracode perform real-world attacks on your application in a runtime environment. Each MPT test identifies security findings (flaws and vulnerabilities) in your applications and publishes the results to the Veracode Platform.
About MPT
Penetration testing provides the following benefits:
- Identifies design flaws.
- Exploits vulnerabilities.
- Leverages combinations of lower impact flaws into higher impact vulnerabilities.
- Determines if identified flaws affect the confidentiality, integrity, or availability of the application.
The objectives of a web-focused penetration assessment include testing using proprietary or public tools to:
- Assess how vulnerabilities might be exploited against a target while establishing a running profile of attack methods discovered.
- Execute test cases to confirm the vulnerability and attempt to determine the impact to business.
- Customize and expand attack payloads, accounting for the specifics of the implementation of the target and environment.
- Analyze captured data for vulnerability patterns, interpreting the results, and developing remediation recommendations.
Human testers identify unorthodox ways of attacking applications and infrastructures to understand the design and functionality, complex authorization processes, and business logic requirements that might not be possible for computing systems to replicate today. These insights enable developers to secure their applications and infrastructure against a broader range of attacks.
Veracode recommends that your organization use Veracode Manual Penetration Testing in conjunction with other automated security assessments such as Veracode Static Analysis, Dynamic Analysis, and SCA to ensure maximum coverage from your security program.
Veracode uses industry standards for classifying and reporting manual penetration test vulnerabilities, including:
- Common Vulnerability Scoring System (CVSS) v3
- Common Weakness Enumeration (CWE)
- Common Attack Pattern Enumeration and Classification (CAPEC)
Details of Veracode Manual Penetration Testing are available in the methodology section of the Veracode Detailed PDF Report and Customizable PDF Report.
Veracode performs all Manual Penetration Testing according to industry-standard testing methodologies where applicable. The following table describes testing types, methodologies, and vulnerability types that form the foundation of Veracode MPT.
| Test type | Methodology | Vulnerabilities |
|---|---|---|
| Web application/API | PTES (Penetration Testing Execution Standard), OWASP Testing Guide | OWASP Top 10 and CWE Top 25 |
| Mobile application | PTES (Penetration Testing Execution Standard), OWASP Mobile Security Testing Guide | OWASP Mobile Top 10 |
| Desktop or thick-client applications | PTES (Penetration Testing Execution Standard), OWASP recommended testing guidance and best practices | Application Logic Code Injection Local Storage Binary Exploitation and Reverse Engineering Excessive Privileges Unencrypted Storage of Sensitive Information Unencrypted Transmission of Sensitive Information Weak Encryption Implementations Weak Assembly Controls Weak GUI Controls Weak or Default Passwords |
| Internet of things (IoT) and embedded systems | PTES (Penetration Testing Execution Standard), OWASP IoT Testing Guide and other industry best practices | OWASP IoT Top 10 |
| Infrastructure and Operations (DevOps Penetration Testing) | PTES (Penetration Testing Execution Standard), NIST SP 800-115, PCI DSS 11.3 (for PCI engagements) | Can vary depending on scope and rules of engagement |
Request MPT
To request Manual Penetration Testing (MPT), contact your Veracode account manager or sales team.
Access MPT results
Veracode MPT test results provide the findings identified in your applications and are available from the Veracode Platform. We publish the results after each test.
To access MPT test results for an application, go to the Applications explore in Veracode Analytics or use the Reporting API.
MPT tests involve an initial test of your application to identify the first set of MPT findings, followed by retests to identify newly introduced findings and to update the status of findings from previous tests.
MPT Flaw Matching
The MPT Flaw Matching feature evaluates findings from successive MPT tests of the same application. It identifies recurring findings across multiple tests and links the matched instances together. This link ensures that all instances of the same finding across successive tests trace back to the original test in which it was first identified.
MPT Flaw Matching adds the following information to findings:
- A status, such as
NeworFixed. - Consistent flaw IDs for each finding across test results. When we identify the same MPT finding in multiple tests of the same application, all instances inherit the flaw ID from the first time we found it.
- First found dates that display the publication date of the test in which we first identified the finding.
First found date
The first found date indicates when a finding was first identified during a test. The value is the publication date of the test results from the test in which we found the finding. For example, if we run tests in January, February, and March, and the January test found two findings that remain open, those findings appear in the March test results with a first found date of January.
Any findings identified before the release of MPT Flaw Matching might have inaccurate first found dates.
Because MPT findings retain their first found dates, you can include them in the remediation grace periods of any security policies applied to your applications. Grace periods provide teams flexibility in meeting security compliance goals before certain findings impact the application’s policy score.
MPT finding statuses
In the results, each MPT finding shows one of the following status values.
New: findings identified for the first time in the latest test. All findings from the initial test show aNewstatus.Open: unresolved findings that were identified in a previous test and again in the latest test. Open findings retain their original flaw IDs (assigned the first time they were identified) and their first found dates. AnyNewfindings identified during an initial or subsequent test that we also identify in the latest test change toOpenstatus.Fixed: resolved findings identified in a previous test but not in the latest test. Fixed findings retain their original flaw IDs (assigned the first time they were identified) and their first found dates.Closed: findings that we did not identify during two successive tests. When a finding isClosed, we remove it from the results in the Veracode Platform Analytics and reports.
About historical MPT findings
MPT Flaw Matching does not support any findings identified in a given application before the release of the flaw matching feature. These findings continue to show an Open status, and results from the latest test replace the results from the previous test.
To start using the benefits of MPT Flaw Matching on an application that you tested previously, you must run a new test on the given application. When we publish the results of the first new test, all findings will have a New status.