Crashtest Security Quickstart
Four short steps to get started with automated penetration testing: Login, Create a Scan Target, Verify the Scan Target, Start the Scan.
Step 1: Log in
To use the Crashtest Security Suite, log in with your user credentials: https://www.crashtest.cloud. You will be automatically redirected to the Create Scan Target page. If you see an empty dashboard, you can always select Plus or Create New Scan Target to create your first scan target.
Step 2: Create a Scan Target
Define the following scan target parameters.
Define the Scan Target Type
Define the type of project you want to scan.
- Multi-Page Application: a traditional application is written with a server-side programming language. This quick setup covers a multi-page application project.
- JavaScript Application: a web application that heavily uses JavaScript as a client language. These web applications usually load data asynchronously using AJAX or Single Page Applications (SPAs).
- Application Programming Interface (API): choose between REST API and Microservice Architecture. You need a Swagger 2.0 or OpenAPI 3.0 file for this type of project, which describes the API for proper scanning. See API scanning. If you need help with the setup, contact Veracode Technical Support for specific guidance on your situation.
Define the scan target details
Define the basic information about your scan target.
- Title: the name of the scan target, which is shown in the dashboard and PDF report.
- Description: optional text to better identify your scan target.
- Protocol: the protocol which will be used to scan your project (i.e., "http" / "https").
- URL: the domain name or IP address of the scan target. The security scanners will run all tests on this URL.
Define Scan Target Scope
Define the scope for the scan you want to run.
- Quick Scan: This setting ensures that only the non-invasive scanners, such as fingerprinting, TLS/SSL, and Port Scan will be executed.
- Full Scan: This choice executes all security scanners and should only be performed on easily reproducible staging systems with no live customer data. The scanners might damage the tested system. These damages might include but are not limited to the following list:
- Sending arbitrary form requests that may pollute databases with random data.
- Creating workload spikes that might impact the user experience of other users when performing multiple requests at the same time. You can adjust this with the throttle setting.
- Publishing production data (which might contain privacy-sensitive customer data) through altering SQL database requests.
See the full list of scanners and an overview of their settings.
Step 3: Verify Your Scan Target
To run a full scan, you will need to verify that you own or are associated with the scan target. This step ensures that non-authorized personnel is running extensive vulnerability scans on your web application or API.
There are four ways to verify your scan target:
- File upload
- API endpoints
- DNS verification
- Manual verification
For more information, see How to verify a scan target.
Step 4: Starting the Scan
You are almost done! After creating the scan target, it will appear in the scan target list on your dashboard. Now you are ready to start your first scan. Select Start.
Alternatively, you can open the scan target page by clicking on the project name and then Start Scan.
The next step in your journey to continuous security is interpreting your scan results.
If you have feedback, contact Veracode Technical Support.