Veracode Internal Scanning Management (ISM) is a simplified approach to web application scanning for applications hosted within a corporate firewall that cannot be reached from the public internet. ISM allows Veracode to bring uniformity to the scanning of external and internal applications for Veracode Dynamic Analysis users.
- Provide access to the Veracode IP address: to enable Veracode to perform scans, your application must be accessible from the Veracode IP address 184.108.40.206. This access may require creating a staging or test environment to host your application, making configuration changes to your firewall rules, and performing other IT activities. When running a Dynamic Analysis, you see traffic coming from this IP address, therefore, you must add it to your allowlist.
- Verify connectivity: ensure the target URLs you want to scan are externally accessible and, if your site requires authentication, the login and password for access to the websites are accurate before you start a Dynamic Analysis. After you submit the scan, Veracode performs a connection and login verification if a login is configured.
- Verify user roles: you must have the Creator, Submitter, or Security Lead role to be able to create, configure, or submit a Dynamic Analysis. Any member of the team associated with the Dynamic Analysis is able to view the analysis and its results.
- Configure your ISM gateway and endpoint according to:
The steps in this use case configure a Dynamic Analysis for scanning using Veracode Internal Scanning Management with authentication. The URL is behind a firewall and is not externally accessible.
- From the Veracode Platform, go to .
- Click New Dynamic Analysis.
- Enter a name for the Dynamic Analysis. Use a name that uniquely identifies the analysis within your organization, for example, by using in the scan name the team or business unit responsible for this application.
From the URLs/Applications dropdown menu, select Enter URLs and enter a single URL, such as https://www.example.com, and click Add.
- In the Scanning Certification section, you must select the checkbox to confirm that your organization has the right to scan the URLs you have provided.
After you have created the Dynamic Analysis and entered the URLs to scan, you can optionally provide more configuration information for each URL. If your analysis has several URLs, use the search box to find the one you want to configure.
- Click Configure at the bottom of the page.
Click the pencil icon at the end of URL row to edit a specific URL
There are several options you can change, such as the allowed hosted, blocklisted URLs, and user agent.
In the Blocklist tab of the URL-Specific Blocklist and Allowlist section,
click Exclude the following URLs to create a
If you want to ensure that Veracode does not scan specific URLs, you can add them to the analysis blocklist by selecting the option Exclude the following URLs. Enter the filepath or directory path of the URLs you want to exclude from this analysis. If you enter a directory path, everything in that directory and its subdirectories are excluded. You must include the slash at the end of the URL for the analysis to consider it a directory instead of a file.
Based on the information in the following example, the Dynamic Analysis scan engine excludes the URL https://example.com/purchasing.
Add allowed host URLs in the Allowlist tab to ensure
Veracode can scan the entire application.
By default, the Dynamic Analysis scan engine scans all subdirectories under the top-level domain. Because Veracode does not automatically scan the subdomains, you can include them in the scope of the scan by specifying them in the Allowlist tab. You can also change the scope of the URL scan by excluding the HTTP or HTTPS versions.In the following example, by adding https://api.example.com/mydir/v1, the subdirectory /mydir/v1 in the subdomain api is now in scope. If you want to scan all subdirectories under api, omit the subdirectory and just add https://api.example.com. Veracode recommends that you only add the specific subdirectories that you want to scan instead of adding the entire directory.
On the Configure page, in the Login Settings section, select
There are several ways to provide authentication credentials so Veracode can scan your application.
In the following example, auto-login is selected with a username and password provided.
- This method is selected by default as it is the common method for most applications, including simple login forms that have a username, password, and login button. Auto-login also works for browser-generated logins, such as basic authentication and NTLMv2. For NTLMv2, you can include the NetBIOS domain separated from the username with a backslash, for example, DOMAIN\username. You can combine auto-login authentication with basic authentication.
- Login Script
- If your application uses a customized or complex form for its login, you can add login script authentication to auto-login authentication.
- Record and upload a login sequence that Veracode uses to automatically log in to your application. Use this method for multi-step login sequences that contain one or more authentication methods, such as username, password, and PIN. You can also combine login script authentication with basic authentication.
- If you use login script authentication and have uploaded a login script, you can download it at any time to verify its information. Go to the Dynamic Analysis Summary page and click on the URL that has the login script. In the URL Configuration section, click the link in the Login Script field to download the file.
- Client Certificate
- If you want to scan an application that requires a certificate, you upload the certificate and associated password to enable Veracode to access that application. The certificate file must be in the PFX or P12 format.
- Basic Authentication (Browser-generated)
- The basic authentication method provides information for a site that uses basic or browser-generated authentication where the browser prompts you for credentials in its own popup window. Enter the username and password you want Veracode to use. Optionally, you can enter the domain name. You can use this method alone or in combination with the auto-login or login script methods.
- Custom HTTP Header
- HTTP headers enable the client to pass additional information with each HTTP request to the server. An HTTP header consists of its case-insensitive name followed by a colon (:) and by its value. The server ignores any whitespace before the value.
- If your scan requires a specific HTTP header key-value pair to authenticate or
correctly view the pages of your website, you can specify custom headers. Each custom
header must contain a header name and a header value. You can specify any header name
except header names that are forbidden to be specified programmatically, such as the
cookie or host header.
Forbidden header names include:
- If you opt to specify a URL for matching purposes, Veracode only sends the header to URLs and their subdirectories that match this specified URL. If you do not specify a URL, Veracode sends the header to the target URL listed in the Dynamic Analysis and any of its subdirectories.
You can use wildcards in the URL. For example:
- https://www.veracode.com matches https://www.veracode.com/home but not http://www.veracode.com or https://veracode.com.
- https://*.veracode.com matches both https://api.veracode.com and https://veracode.com.
Select the gateway and endpoint.
- Select the gateway associated with an endpoint that can access the URL. If you select a gateway that is not associated with an accessible endpoint or is not ready for scanning, the Dynamic Analysis fails.
- Select an endpoint that can access the URL. If you select an endpoint that is not reachable by the URL or is not ready for scanning, the Dynamic Analysis fails. Endpoints are identified as Ready, Pending, or Offline.
When you are ready to run it, you can start your Dynamic Analysis immediately or schedule it to run at a date up
to 60 days in the future.
By default, your Dynamic Analysis is not scheduled. If you do not want to schedule your Dynamic Analysis, when you review and submit it a prescan runs that provides feedback in the Prescan Results tab of the Dynamic Analysis summary page.To schedule a Dynamic Analysis for a date in the future:
- After you create or configure the Dynamic Analysis, click Schedule at the bottom of the screen.
- In the Schedule section, select Once.
- Click the calendar icon and select the date on which you want the scan to start.
- In the Analysis Duration field, enter the maximum number of days you want the Dynamic Analysis to run.
- Click Review and Submit to start your Dynamic Analysis.
From the All Dynamic Analysis Scans list, you can review the schedule of any Dynamic Analysis by clicking the clock icon in the row for that Dynamic Analysis. The respective schedule appears, providing at-a-glance information.
- Go to the Dynamic Analysis Scans page, which lists all your scans and their statuses.
From the Actions menu at the end of the row, click View Results.
You must have the Creator, Reviewer, or Security Lead role to be able to view the results of a Dynamic Analysis, unless the results are linked to an application to which you have permission to view.
The results open in the Triage Flaws view of the selected Dynamic Analysis, listing all the vulnerabilities found and the details.
You can link results from a Dynamic Analysis to an application
profile to evaluate the results against policy, and see the results for all types of
scans of the application aggregated in a single report.
You must have the Security Lead, Creator, or Submitter user role to be able to link results. You can only link the results of one URL configuration to an application.
Go to the Dynamic Analysis Results tab of the analysis summary page, and select .
The Link to Application window opens.
- Select the application you want to link to from the list. You cannot select an application that is already linked to a URL configuration.
- Click Save.