Skip to main content

Dynamic Analysis updates

· 9 min read

The updates on this page apply to the following Veracode Dynamic Application Security Testing (DAST) products and features. Updates that apply to specific Veracode regions show a region icon.

March 27, 2025

DAST Essentials Enterprise mode

DAST Essentials Enterprise mode is now available. It enhances the security testing of web applications and APIs by integrating with the Veracode Platform, significantly improving policy enforcement and analytics. Analyses conducted using Enterprise mode offer the following benefits:

  • Additional authentication configuration: Includes support for login scripts, scanner variables, and client certificates for web applications, as well as Scriptable Request Modifications (SRM) for APIs.
  • Improved API specification management: Users can now upload or dynamically reference API specifications with ease.
  • Internal Scanning Management (ISM): Enables scanning of web applications and APIs hosted behind a corporate firewall.

October 22, 2024

ISM endpoint 24.10.0

This update introduces the proxy exclusion list, which includes hosts that bypass the configured proxy settings. By default, all traffic routes through the proxy except for hosts on the exclusion list.

September 19, 2024

Public REST API for DAST Essentials

The DAST Essentials Target Configuration Service REST API is now available. Use this API to automate the management of DAST Essentials targets and trigger analyses.

July 15, 2024

Improved target configuration pages in DAST Essentials

DAST Essentials has a new look and feel for target configuration. Additionally, you can now switch between non-invasive quick scans and invasive full scans.

June 27, 2024

API Scanning now supports Postman Collections

You can now upload and scan Postman Collections in the Veracode Platform.

May 15, 2024

ISM endpoint 24.5.5

This update includes performance improvements to Internal Scanning Management (ISM). To install this endpoint, you must have Java 21 or greater.

March 28, 2024

Improved pause and resume scheduling

You can now schedule an analysis to pause and resume on specific days of the week, during specific periods, or both.

December 19, 2023

Web application and API scans now support multi-factor authentication

You can now configure web application scans and API scans to use time-based one-time password (TOTP) seeds for URLs that require multi-factor authentication (MFA). You can also configure TOTP with the REST API.

December 12, 2023

ISM endpoint 23.12.1

  • The endpoint now supports Java 21.
  • Adds virtual threading functionality to improve performance and stability. Before you can use this functionality, you must upgrade to Java 21.

November 27, 2023

Free trial of DAST Essentials

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

November 15, 2023

Introducing DAST Essentials

DAST Essentials is a new Dynamic Application Security Testing (DAST) product that provides rapid and resilient DAST scanning of web applications and REST APIs, a user-friendly interface, and seamless CI/CD pipeline integration. To get started, see the quickstart.

September 25, 2023

Web application and API scans now support custom cookies

You can now configure web application scans and API scans to use one or more custom cookies for authentication.

May 9, 2023

ISM endpoint 23.5.0

Added executable scripts that update the JAVA_HOME path for the endpoint.

April 25, 2023

ISM endpoint 23.4.2

  • The endpoint now supports environments where the target host is on the same host as the client.
  • Source code files now include a copyright header.

February 27, 2023

Set URL Scan Settings at the Organization Level

You can now use the Dynamic Analysis REST API to set URL scan settings for all analyses and scans in an organization.

February 17, 2023

New Manual Resume Feature for Paused Analyses

Veracode Dynamic Analysis adds a new feature that enables you to manually resume a scheduled analysis from a paused state. This feature is only available upon request. To add this feature to your account, contact Veracode Technical Support.

January 20, 2023

Renamed URL Scan Status Messages

Veracode has renamed and changed the descriptions for the following URL scan status messages for Dynamic Analysis. The new names more accurately describe the issues that caused these status messages to appear in the Veracode Platform.

  • Killed - Partial Results Available is now Lockout - Partial Results Available.
  • Killed - Verifying Partial Results is now Lockout - Verifying Partial Results.

December 19, 2022

ISM endpoint 22.12.3

  • Fixed an endpoint issue that caused threads to lock up until the ISM tunnel closes.
  • Improved endpoint logging that Veracode Technical Support can use for troubleshooting.

October 21, 2022

ISM available for Dynamic Analysis

Internal Scanning Management (ISM) is now available for Veracode Dynamic Analysis of web applications and API specifications in the European Region.

October 18, 2022

API Scanning Adds Support for Scriptable Request Modification

Veracode API Scanning adds a new option for using JavaScript to modify an HTTP request, at runtime, when authenticating with a remote host.

October 5, 2022

New Similarity Threshold for Web Applications

When configuring an analysis of a web application, you can now set a threshold for ignoring similar web pages during the analysis.

September 7, 2022

Dynamic Analysis Now Creates Screenshots for Consecutive Login Failures

The Veracode scan engine now creates a verification screenshot if it is unable to log in to a target application after 50 attempts. The screenshot image shows when and where in the scanning process the failed login attempts occurred. You can use this information for troubleshooting.

August 2, 2022

New Historical Details for Dynamic Analyses and Scans

You can now view detailed information about all past occurrences of both a dynamic analysis and its scans.

July 28, 2022

Dynamic Analysis available for European Region

Veracode Dynamic Analysis is now available in the European Region. If you have a Veracode Dynamic Analysis subscription, you can now perform dynamic analysis security testing and API testing against public facing web applications and APIs.

May 18, 2022

Re-Enabled Pause and Resume for Scheduled Analyses

When scheduling a Dynamic Analysis, you can now set it to pause and resume scanning at specific days and times. Veracode disabled this option on October 7, 2021.

April 28, 2022

New Status Messages for Partial Scan Results

Dynamic Analysis now provides status messages that indicate when Veracode is verifying partial results and when partial results are available for review. Partial results can occur when a scan stops prematurely due to:

  • Errors during scanning
  • Users stopping the scan early
  • The scan exceeding its configured duration

March 23, 2022

API Scanning Adds Support for OpenID Connect to OAuth 2.0

Veracode API Scanning adds a new option to specify an OpenID Connect URL when configuring OAuth 2.0 authentication.

March 10, 2022

Dynamic Analysis Adds Support for Concurrent Browsers Running Dynamic Analysis Scans

Veracode Dynamic Analysis now supports concurrent browsers for running multiple Dynamic Analysis scans at the same time. When configuring a web application scan, you can specify up to 12 concurrent browsers.

March 8, 2022

API Scanning Adds OAuth 2.0 Authentication and Analysis History Options

Veracode API Scanning includes these changes:

  • New option to configure OAuth 2.0 authentication for the API endpoints in your API specifications. You can select to use either the Client Credentials or Password Credentials grant type.
  • New Associated Analysis field on the API Specification Details page for a given API specification. This field provides options for viewing, reconfiguring, and rerunning previous scans.

March 3, 2022

Dynamic Analysis Now Detects Log4j Vulnerability CWE-115

Veracode Dynamic Analysis can now detect Log4j vulnerability CWE-115 when scanning web applications or API specifications.

February 4, 2022

Updated Dynamic Analysis Scan Engine

The Dynamic Analysis scan engine includes these updates:

  • Updated Chromium to version 98.0.4758.80
  • Log4j security updates
  • Improved connectivity when authenticating with Veracode
  • Fix for insecure cookies that prevented flaw matching

January 25, 2022

ISM endpoint 22.1.10

  • endpoint upgraded to Log4j 2.17.1 to address security findings.
  • Improved thread management for connection stability.
  • Advanced memory usage diagnostics.

December 21, 2021

ISM endpoint 21.12.13

  • endpoint upgraded to Log4j 2.17 to address known vulnerabilities CVE-2021-44228 and CVE-2021-45046.
  • Additional libraries upgraded to address security findings.

August 10, 2020

ISM endpoint 20.8.5

  • endpoint now supports not resolving the hostname when accessing the ISM gateway via proxy. This support enables you to only allow the gateway hostname for outbound HTTPS calls.
  • endpoint now supports not resolving the hostname when accessing scanned URLs via proxy. This support simplifies proxy configuration if you do not want to access external sites, such as Okta, during the scan.
  • Improved interface for configuring a proxy for the endpoint installer.
  • endpoint installer supports configuring hostname resolution properties.
  • Java WebSocket library for the endpoint upgraded to version 1.5.1.
  • endpoint supports specifying non-default network interface via endpoint properties, including the option to see a list of available network interfaces.
  • endpoint process name on Linux includes a Veracode identifier.
  • Improved endpoint logging.

March 9, 2020

ISM endpoint 20.3.5

  • endpoint installer supports client-side Java and 32-bit Java.
  • endpoint installer supports proxy gateway-only property.
  • endpoint supports running diagnostics through a DSE tunnel.
  • endpoint supports new advanced diagnostics options.
  • Consolidated direct diagnostic options and diagnostics options that run through a DSE tunnel.
  • The ISM service from the Windows installer runs under the less privileged LocalService account instead of LocalSystem.
  • Proxy configuration in the installer no longer requires web access to veracode.com.
  • Resolved issue with property merge in the endpoint installer.
  • Improved endpoint memory management and out of memory protection.