Skip to main content

Dynamic Analysis updates

· 36 min read

The updates on this page apply to the following Veracode Dynamic Application Security Testing (DAST) products and features. Updates that apply to specific Veracode regions show a region icon.

March 27, 2025

DAST Essentials Enterprise mode

DAST Essentials Enterprise mode is now available. It enhances the security testing of web applications and APIs by integrating with the Veracode Platform, significantly improving policy enforcement and analytics. Analyses conducted using Enterprise mode offer the following benefits:

  • Additional authentication configuration: Includes support for login scripts, scanner variables, and client certificates for web applications, as well as Scriptable Request Modifications (SRM) for APIs.
  • Improved API specification management: Users can now upload or dynamically reference API specifications with ease.
  • Internal Scanning Management (ISM): Enables scanning of web applications and APIs hosted behind a corporate firewall.

October 22, 2024

ISM endpoint 24.10.0

This update introduces the proxy exclusion list, which includes hosts that bypass the configured proxy settings. By default, all traffic routes through the proxy except for hosts on the exclusion list.

September 19, 2024

Public REST API for DAST Essentials

The DAST Essentials Target Configuration Service REST API is now available. Use this API to automate the management of DAST Essentials targets and trigger analyses.

July 15, 2024

Improved target configuration pages in DAST Essentials

DAST Essentials has a new look and feel for target configuration. Additionally, you can now switch between non-invasive quick scans and invasive full scans.

June 27, 2024

API Scanning now supports Postman Collections

You can now upload and scan Postman Collections in the Veracode Platform.

May 15, 2024

ISM endpoint 24.5.5

This update includes performance improvements to Internal Scanning Management (ISM). To install this endpoint, you must have Java 21 or greater.

March 28, 2024

Improved pause and resume scheduling

You can now schedule an analysis to pause and resume on specific days of the week, during specific periods, or both.

Previous updates

2023 updates

2023 updates

December 19, 2023

Web application and API scans now support multi-factor authentication

You can now configure web application scans and API scans to use time-based one-time password (TOTP) seeds for URLs that require multi-factor authentication (MFA). You can also configure TOTP with the REST API.

December 12, 2023

ISM endpoint 23.12.1
  • The endpoint now supports Java 21.
  • Adds virtual threading functionality to improve performance and stability. Before you can use this functionality, you must upgrade to Java 21.

November 27, 2023

Free trial of DAST Essentials

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

November 15, 2023

Introducing DAST Essentials

DAST Essentials is a new Dynamic Application Security Testing (DAST) product that provides rapid and resilient DAST scanning of web applications and REST APIs, a user-friendly interface, and seamless CI/CD pipeline integration. To get started, see the quickstart.

September 25, 2023

Web application and API scans now support custom cookies

You can now configure web application scans and API scans to use one or more custom cookies for authentication.

May 9, 2023

ISM endpoint 23.5.0

Added executable scripts that update the JAVA_HOME path for the endpoint.

April 25, 2023

ISM endpoint 23.4.2
  • The endpoint now supports environments where the target host is on the same host as the client.
  • Source code files now include a copyright header.

February 27, 2023

Set URL Scan Settings at the Organization Level

You can now use the Dynamic Analysis REST API to set URL scan settings for all analyses and scans in an organization.

February 17, 2023

New Manual Resume Feature for Paused Analyses

Veracode Dynamic Analysis adds a new feature that enables you to manually resume a scheduled analysis from a paused state. This feature is only available upon request. To add this feature to your account, contact Veracode Technical Support.

January 20, 2023

Renamed URL Scan Status Messages

Veracode has renamed and changed the descriptions for the following URL scan status messages for Dynamic Analysis. The new names more accurately describe the issues that caused these status messages to appear in the Veracode Platform.

  • Killed - Partial Results Available is now Lockout - Partial Results Available.
  • Killed - Verifying Partial Results is now Lockout - Verifying Partial Results.

2022 updates

2022 updates

December 19, 2022

ISM endpoint 22.12.3
  • Fixed an endpoint issue that caused threads to lock up until the ISM tunnel closes.
  • Improved endpoint logging that Veracode Technical Support can use for troubleshooting.

October 21, 2022

ISM available for Dynamic Analysis

Internal Scanning Management (ISM) is now available for Veracode Dynamic Analysis of web applications and API specifications in the European Region.

October 18, 2022

API Scanning Adds Support for Scriptable Request Modification

Veracode API Scanning adds a new option for using JavaScript to modify an HTTP request, at runtime, when authenticating with a remote host.

October 5, 2022

New Similarity Threshold for Web Applications

When configuring an analysis of a web application, you can now set a threshold for ignoring similar web pages during the analysis.

September 7, 2022

Dynamic Analysis Now Creates Screenshots for Consecutive Login Failures

The Veracode scan engine now creates a verification screenshot if it is unable to log in to a target application after 50 attempts. The screenshot image shows when and where in the scanning process the failed login attempts occurred. You can use this information for troubleshooting.

August 2, 2022

New Historical Details for Dynamic Analyses and Scans

You can now view detailed information about all past occurrences of both a dynamic analysis and its scans.

July 28, 2022

Dynamic Analysis available for European Region

Veracode Dynamic Analysis is now available in the European Region. If you have a Veracode Dynamic Analysis subscription, you can now perform dynamic analysis security testing and API testing against public facing web applications and APIs.

May 18, 2022

Re-Enabled Pause and Resume for Scheduled Analyses

When scheduling a Dynamic Analysis, you can now set it to pause and resume scanning at specific days and times. Veracode disabled this option on October 7, 2021.

April 28, 2022

New Status Messages for Partial Scan Results

Dynamic Analysis now provides status messages that indicate when Veracode is verifying partial results and when partial results are available for review. Partial results can occur when a scan stops prematurely due to:

  • Errors during scanning
  • Users stopping the scan early
  • The scan exceeding its configured duration

March 23, 2022

API Scanning Adds Support for OpenID Connect to OAuth 2.0

Veracode API Scanning adds a new option to specify an OpenID Connect URL when configuring OAuth 2.0 authentication.

March 10, 2022

Dynamic Analysis Adds Support for Concurrent Browsers Running Dynamic Analysis Scans

Veracode Dynamic Analysis now supports concurrent browsers for running multiple Dynamic Analysis scans at the same time. When configuring a web application scan, you can specify up to 12 concurrent browsers.

March 8, 2022

API Scanning Adds OAuth 2.0 Authentication and Analysis History Options

Veracode API Scanning includes these changes:

  • New option to configure OAuth 2.0 authentication for the API endpoints in your API specifications. You can select to use either the Client Credentials or Password Credentials grant type.
  • New Associated Analysis field on the API Specification Details page for a given API specification. This field provides options for viewing, reconfiguring, and rerunning previous scans.

March 3, 2022

Dynamic Analysis Now Detects Log4j Vulnerability CWE-115

Veracode Dynamic Analysis can now detect Log4j vulnerability CWE-115 when scanning web applications or API specifications.

February 4, 2022

Updated Dynamic Analysis Scan Engine

The Dynamic Analysis scan engine includes these updates:

  • Updated Chromium to version 98.0.4758.80
  • Log4j security updates
  • Improved connectivity when authenticating with Veracode
  • Fix for insecure cookies that prevented flaw matching

January 25, 2022

ISM endpoint 22.1.10
  • The endpoint upgraded to Log4j 2.17.1 to address security findings.
  • Improved thread management for connection stability.
  • Advanced memory usage diagnostics.

2021 updates

2021 updates

December 21, 2021

ISM endpoint 21.12.13
  • The endpoint upgraded to Log4j 2.17 to address known vulnerabilities CVE-2021-44228 and CVE-2021-45046.
  • Additional libraries upgraded to address security findings.

2020 updates

2020 updates

November 24, 2020

New Target URL Search Feature
  • Veracode Dynamic Analysis now allows you to search for individual URL scans in addition to searching for a specific Dynamic Analysis. This capability enables you to easily identify which scans are associated with a specified URL.
CSP Header Checks
  • Veracode Dynamic Analysis now checks for missing or misconfigured script execution policies in Content Security Policy (CSP) headers of web applications.
  • Veracode Dynamic Analysis has expanded its list of known secure cookie attributes, such as SameSite, Secure, and HttpOnly, that are common to cloud infrastructures. Veracode checks web applications for secure cookie attributes on this list before reporting missing attributes as flaws.

August 10, 2020

ISM endpoint 20.8.5
  • The endpoint now supports not resolving the hostname when accessing the ISM gateway via proxy. This support enables you to only allow the gateway hostname for outbound HTTPS calls.
  • The endpoint now supports not resolving the hostname when accessing scanned URLs via proxy. This support simplifies proxy configuration if you do not want to access external sites, such as Okta, during the scan.
  • Improved interface for configuring a proxy for the endpoint installer.
  • The endpoint installer supports configuring hostname resolution properties.
  • Java WebSocket library for the endpoint upgraded to version 1.5.1.
  • The endpoint supports specifying non-default network interface via endpoint properties, including the option to see a list of available network interfaces.
  • The endpoint process name on Linux includes a Veracode identifier.
  • Improved endpoint logging.

For more information, see the endpoint release history

July 22, 2020

New Video - Configure Dynamic Analysis Login Settings
  • This video describes the different types of authentication that Veracode Dynamic Analysis can require to log in to your application and how to configure your Dynamic Analysis so that Veracode can log in.

June 11, 2020

Crawl Script Support for Comprehensive Scans
  • Veracode Dynamic Analysis now supports the use of prerecorded crawl sequences to supplement the default automated crawling capability of the Veracode scan engine. You must use Selenium to record the crawl scripts and save them in SIDE test suite or HTML formats. Dynamic Analysis runs the crawl script during prescan to check for any commands that might fail during the URL scan.

June 8, 2020

Improved Dynamic Analysis Coverage

Veracode has improved the scan engine coverage with:

  • Increased coverage for CWE 89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection).
  • Increased reporting for SSL issues and updated description and remediation text. The Dynamic Analysis scan engine now reports the use of Cipher Block Chaining (CBC) ciphers, and key exchange algorithms that do not provide perfect forward secrecy (such as RSA with no EDH).
New Screenshot Verifications and Scan Notes Features
  • Veracode Dynamic Analysis now shows additional troubleshooting information on the Prescan Details and Scan Details pages. The new Verification Screenshots section shows screenshots that the Veracode scan engine takes at predetermined points. The Scan Notes section contains observations from the scan engine on issues encountered at runtime or best practices that you can apply to the scan configuration.
Updated Video - Initiate a Dynamic Analysis Prescan
  • This video shows you how to submit a Dynamic Analysis for prescan, what the Dynamic Analysis is testing during prescan, and how to tell if your Dynamic Analysis has passed prescan successfully.

May 26, 2020

Enhanced Access Control for ISM Endpoints
  • Veracode Dynamic Analysis Internal Scanning Management (ISM) provides new options for granting Veracode support engineers access to your endpoints. You can now allow support access for a specific number of days, up to 30, or allow access indefinitely until you choose to disable it.

May 21, 2020

Client Certificate Authentication Support
  • Dynamic Analysis now supports client certificate-based authentication. When you upload your certificate and the associated password, Veracode can log in to websites that require this method of authentication.
Engine JSON Web Token and Obsolete JavaScript Support
  • Dynamic Analysis has added security auditing for JSON Web Tokens (JWT) and obsolete JavaScript resources. JWT auditing detects common flaws, including signature vulnerabilities, in sites that use JWT for authentication. Obsolete JavaScript resource detection reports known-vulnerable libraries, such as older versions of jQuery, through signature matching.
Improved Scan Status Details
  • Veracode Dynamic Analysis now has improved end-user visibility into scan statuses. Additional status information is available in the status fields and columns of the All Analyses, Dynamic Analysis Summary, and URL Scan Summary pages. You now have more detailed information when scans stop due to network issues or because they exceeded the allocated scan duration time.
Updated Video - Create Login Scripts with Selenium
  • This video shows you how to use the Selenium IDE plugin to create a login sequence script that enables Veracode Dynamic Analysis to scan URLs that have form-based authentication.

May 7, 2020

Prescan Workflow Improvements

Veracode has released several improvements to the Dynamic Analysis workflow to enhance these user experiences:

  • The prescan option has moved to the Schedule page. In addition, you can now use the new prescan-only option if you want to verify your configuration before submitting the analysis.
  • There is a new option on the Schedule page to enable you to save your Dynamic Analysis configuration and continue working on it or submitting it later.
  • Icons have replaced the menu in the individual rows of the URLs table, providing greater ease of use when you want to edit the configuration, link to an application, or delete the URL.

April 28, 2020

ISM Notifications Include Endpoint Names
  • Emails from Veracode about your ISM endpoints now specify the endpoint names to help with troubleshooting.

April 16, 2020

Scheduling Improvement
  • Veracode Dynamic Analysis now provides the ability to select a start date up to 90 days in the future. This enhancement enables you to initiate a one-time scan immediately as well as schedule a recurring, quarterly scan of the same Dynamic Analysis.
Update to Supported Selenium Commands
  • Dynamic Analysis now supports these Selenium commands: keyUp, keyDown, keyPress, assertTextPresent, waitForElementVisibile, and clickAt.

March 31, 2020

Dynamic Analysis User Agent Defaults to Chrome
  • When configuring a Dynamic Analysis, if you do not provide a user agent string for a browser of your choice, the user agent value now defaults to the Chrome browser.

March 30, 2020

Auto-Linking Now Available in Dynamic Analysis
  • Veracode Dynamic Analysis now supports application auto-linking automation at the organization account level. Auto-linking links a Dynamic Analysis scan to an existing application profile. Auto-linking can also automatically create a new application profile to which Dynamic Analysis can link future scans, if you select that option. Linking a Dynamic Analysis to an application enables you to review the policy evaluation, download PDF results, and access the Veracode Links Report.

March 26, 2020

Screenshot Provided for Login Script Errors
  • Veracode Dynamic Analysis now provides troubleshooting information for login script authentication failures. If you have provided a login script, the Prescan Details window links to a screenshot of the associated login errors.

March 17, 2020

Server-Side Request Forgery (SSRF) Attack Support
  • Veracode Dynamic Analysis now enables Server-side Request Forgery (SSRF) attacks to find flaws, by default.
Extended Auto-Login Support
  • The Veracode Dynamic Analysis scan engine has improved support for multi-page forms and login pages containing iframes.

March 9, 2020

ISM Endpoint Updated with Advanced Diagnostics
Auto-Login Enhancements
  • Veracode Dynamic Analysis has streamlined authentication configuration with an enhanced auto-login capability. You should use auto-login to provide a username and password for auto-login, browser-generated logins, and NTLMv2. Auto-login is the default setting. A separate, basic authentication section is available to configure authentication for websites that require two forms of authentication: auto-login and browser-generated authentication. Veracode continues to support Selenium-based login scripts with these changes.
Coverage Improvements
  • The latest release of Veracode Dynamic Analysis includes new generic injection techniques in the scan engine and flaw publishing process. Veracode can now detect additional vulnerabilities for CWEs 95, 89, 91, and 74. In addition, SQL Injection, OS Command Injection, Remote File Inclusion (RFI), Server-side Request Forgery (SSRF), XML External Entity (XXE), and Cross-site Scripting (XSS) detection can now attack JSON keys and values in POST bodies by default.

February 21, 2020

New Video - View Dynamic Analysis Results
  • This video shows you how to view Dynamic Analysis results.

February 14, 2020

New Video - Create and Run an Unauthenticated Dynamic Analysis
  • This video shows you how to create, configure, and schedule an unauthenticated Dynamic Analysis.
Row Selection Persistence
  • When you select the number of rows you want to display in the All Dynamic Analyses table, the selection persists even if you navigate away from that table. Your selection persists until you log out.

January 8, 2020

New Auto-Publish Feature

Auto-Publish is now enabled in Veracode Dynamic Analysis to automatically publish some findings, providing quicker results for specific types of vulnerabilities.

  • If every vulnerability found in all URL scans in a Dynamic Analysis meets the criteria for auto-publication, Veracode publishes the findings immediately after the analysis completes.
  • If one or more vulnerabilities require a review by a Veracode scan engineer, then any findings eligible for auto-publication must wait for that review. Veracode publishes all findings together within 24 hours of when the manual review is complete.
Change to Failed Verification Status

Veracode Dynamic Analysis has updated the status definition that displays when any URL scans fail verification for either a connection or authentication issue.

  • When a single URL scan in an analysis fails verification:
    • The URL scan status is Verification Failed.
    • The Dynamic Analysis status is All Verifications Failed.
  • When an analysis with multiple URL scans has one or more of the URL scans fail verification:
    • The failed URL scan status is Verification Failed.
    • The analysis status is Completed - Partial Results Available.

Application Security Platform

View the list below for highlights of previous releases.

December 7, 2020

Additional SCA Details Available from the Findings REST API
  • With the Veracode Findings REST API, you can identify whether Software Composition Analysis findings are from agent-based scans or upload scans and whether they are from a direct or transitive dependency. You can also filter your findings by scan type or dependency type.

November 23, 2020

Updates to the Findings REST API

You can now perform these tasks with the Veracode Findings REST API:

  • Retrieve the expiration date of the remediation grace period for findings that violate a security policy.
  • Retrieve findings with comments or mitigations added after a specific date, such as the date of your most recent scan.
Healthcheck REST API
  • You can use the Veracode Healthcheck REST API to test the availability of Veracode core services.

October 29, 2020

Changes to OWASP Mobile Policy Rules
  • Veracode has updated policy rules that include the OWASP Mobile security standard to reflect additional research. OWASP Mobile policy rules now include these CWEs: CWE-77, 78, 80, 252, 287, 319, 345, 404, 415, 416, 601, 614, 676, 693, 757.

  • Applications that contain these flaws may fail OWASP Mobile policy rules as a result of this update. Veracode will apply the update upon rescan of the application.

Improved Notifications for Delayed Scan Results
  • Veracode has improved communication about delayed scan results. You now receive email notifications that include additional details and links for the affected scan. Veracode has also improved the Veracode Platform to indicate delayed scans that are under investigation.

October 19, 2020

Applications REST API
  • You can now view application data and create, update, and delete applications using the Veracode Applications REST API.

September 30, 2020

Updates to Required Veracode Domains

September 26, 2020

Rolling Sandbox Histories
  • Rolling sandbox histories let you limit sandbox data by restricting the number of retained scans for each sandbox to 15. After more than 15 scans, the Veracode Platform deletes the oldest scan, though the data remains available through Veracode Analytics. If enabled, this feature replaces the previous data limitation method of expiring old sandboxes.

  • To request access to rolling sandbox histories, contact Veracode Technical Support.

Updates to Some XML API Deletion Calls
  • To improve performance, the deleteuser.do, deleteteam.do, deleteapp.do, and removefiles.do XML API calls now return an HTTP 200 response and a change summary, instead of a list of the items remaining after the deletion.
  • You can now share links to Veracode Analytics dashboards, including Veracode dashboards and dashboards that your organization creates. To access a dashboard link, you must log in to the Veracode Platform and have permission to view the data in the dashboard.
Activity Log Updates
  • You can now download a report of the full history of application profile activity, scan activity, and sandbox activity. The activity log in the Veracode Platform now displays activity data for the past 90 days.
Technique Removed from TSRV Format for Accepting Risk
  • Veracode has removed Technique from the TSRV standard when you perform the Accept the Risk mitigation action because none of the techniques are relevant to accepting risk. Specifics, Remaining Risk, and Verification are still required fields.
Updates to CWE Top 25 Policy Rules
  • The Latest CWE Top 25 policy rule in the Veracode Platform now reflects the 2020 CWE Top 25 standard. Veracode has also updated the 2019 CWE Top 25 policy rule to disallow the children of CWE-94: CWE-91, 95, 98, 185, and 830.

September 17, 2020

Improved Business Units Tab
  • On the Administration page in the Veracode Platform, Veracode has improved the usability of the Business Units tab.

September 10, 2020

New Video - Create and Manage API Users in the Veracode Platform

August 29, 2020

All Applications Page Now Available to Mitigation Approver and Delete Scans Roles
  • You can now access the All Applications page in the Veracode Platform with the Mitigation Approver or Delete Scans roles. From the All Applications page, you can, then, select an application to approve mitigations or delete scans.
CWE-74 Now Disallowed for the OWASP Security Standard
  • Veracode has reclassified CWE-74 "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" as a high severity finding. CWE-74, which Veracode discovers during Dynamic Analysis, is now included on the disallowed CWE IDs list in the latest version of the OWASP security standard. If your organization is using the OWASP 2017 security standard, you may see more findings violating policy or see your application fail policy as a result of this change.
Support for MITRE CWE List Version 4.1
  • Veracode now provides reporting based on CWE version 4.1 definitions, which changes the names and descriptions of a few existing CWE categories. The complete list of changes in CWE version 4.1 is available from the MITRE website. This new version does not impact the CWE mappings for the OWASP, CWE Top 25, or CERT security standards.

  • MITRE is updating their CWE list on a more frequent basis, but Veracode remains committed to staying up-to-date with each new version. As MITRE updates their CWE database, you might notice periodic changes in Veracode reports, such as differences between parent-child relationships or mappings.

August 21, 2020

Findings API Version 2
  • The Veracode Findings REST API v2 is now available. With this API, you can access information about open and mitigated findings associated with applications and sandboxes. It supports Static Analysis, Dynamic Analysis, Manual Penetration Testing, and Software Composition Analysis scans.

July 28, 2020

Improved User Activity Report
  • An improved user activity report is now available to download as a CSV file, providing easier access to information about user actions.

July 7, 2020

Administrators Can Turn Off Optional Notifications for Their Entire Organization
  • Administrators in the Veracode Platform can now turn off all optional notifications for all new and existing users in their organization account. Individual users have the option to turn the notifications back on for their own user account.

June 29, 2020

New Accept the Risk Mitigation Type
  • Veracode now allows you to resolve a finding by stating that your business is willing to accept the risk associated with that finding. This mitigation type allows you to track and report the risk while continuing to maintain the mitigation and resolution approval process. Veracode updated the mitigationinfo.xsd file to include this mitigation type.

June 27, 2020

Veracode Policies Now Support 2019 CWE Top 25 Security Standard
  • Veracode updated the PCI security standard in the Veracode Platform to include the 2019 CWE Top 25 Security Standard, previously called the SANS Top 25 standard. Applications with findings included in the new standard may fail the PCI policy or PCI standard requirement as a result. Veracode applies the update to applications upon rescan.

June 16, 2020

Veracode Analytics Provides Ignored Issue SCA Data
  • Veracode Analytics now supports SCA agent-based scan issue data about ignored issues, including details of when a user ignored an issue and the username for the user who ignored the issue.

June 11, 2020

New Sandbox Attributes Added to Veracode Analytics
  • Veracode Analytics now provides attributes for tracking sandbox usage. You can view sandbox expiration dates and determine if the Veracode Platform sandboxes are configured for Veracode to automatically recreate them after expiration.
New Dynamic Analysis Dimensions Available in Veracode Analytics
  • Veracode Analytics now provides the Dynamic Analysis fields Path and Vulnerable Parameter, which allow you to better focus and prioritize your remediation efforts.

June 8, 2020

SCA Agent Data Available in Veracode Analytics
  • The Software Composition Analysis (SCA) dashboard is updated in Veracode Analytics to reflect recommended charts for tracking your use of SCA agent-based and upload-and-scan workflows. In addition, Veracode Analytics provides two new explores for SCA agent data: SCA Agent Issues and SCA Agent Scans. These explores enable you to create your own charts and dashboards, providing a better understanding of your open-source risk.

May 28, 2020

Update to Industry Values in Application Profile
  • Veracode has updated the values for industries in application profiles to more accurately reflect the market. Because applications include industry values to help inform the Veracode State of Software Security report, this change affects the createapp.do and updateapp.do XML API calls.

  • If you have a script coded with an expected value for the industry field, please update your script to reflect the updated values or use the default value already provided.

May 13, 2020

Analytics Scan Frequency Requirements Data
  • Veracode Analytics now provides visibility into scan frequency requirements for an application. These requirements include the frequency mandated by the policy, upcoming scan due dates, and any past due dates.

May 7, 2020

New Team Admin Role
  • Veracode has added the new Team Admin user role that an administrator can grant to users. With the Team Admin role, you can create, edit, and delete users within the teams you manage. This new role makes it easier for organizations to manage permissions for a large number of users.
New Mitigation Type
  • Veracode has added a new mitigation type to allow you to propose mitigations using the mitigation type Mitigated - Referred to Library Maintainer. You can classify findings related to libraries developed by another development team. Another development team may build libraries in-house, but they may not own the application Veracode is scanning.

April 30, 2020

New Identity REST APIs
  • The new Identity REST APIs allow you to manage users, teams, and business units. You can also use these REST APIs to create API service accounts and manage API ID/key credentials.
Updated Greenlight Scans Explore Page
  • Veracode has updated the Analytics page Greenlight Scans Explore to reflect the new terminology of IDE scan (formerly known as Greenlight) and to include pipeline scan data.
Updated Applications List View
  • The All Applications page in the Veracode Platform now provides customizable columns and improved searching and filtering. Veracode is gradually releasing this feature as part of each Platform release, so it may not be immediately available to you.
New Secure Coding Foundation eLearning Courses

Veracode eLearning has released a new set of secure coding foundation courses:

  • Secure Coding Foundations - Authentication
  • Secure Coding Foundations - Authorization
  • Secure Coding Foundations - Configuration and Deployment
  • Secure Coding Foundations - Data Protection
  • Secure Coding Foundations - Information and Error Handling
  • Secure Coding Foundations - Trust Boundaries
  • Secure Coding Foundations - Validation and Encoding

These courses cover application security practices and associated vulnerabilities.

eLearning User Interface Enhancements

Veracode has improved these eLearning windows:

  • Manager window you use to assign learners to a manager
  • Curriculum window you use to assign learners to a curriculum

April 21, 2020

Updated Applications List View

  • The All Applications page in the Veracode Platform now provides customizable columns and improved searching and filtering.

March 28, 2020

CWE 4.0 Support
  • Veracode CWE support is updated to reflect the latest changes from MITRE in the CWE 4.0 release.
Enable Automatic Re-creation of Existing Sandboxes
  • You can now edit existing sandboxes to enable the setting for automatically re-creating the sandbox when it expires.
Due Date Notifications for eLearning Students
  • eLearning administrators can now specify when to send email reminders to notify students about the due dates for assigned courses.
New Python and JavaScript eLearning Courses
  • Veracode has added secure coding courses for Python and JavaScript to eLearning learner levels.

March 19, 2020

New Grace Period Expiration Date in Analytics
  • Veracode Analytics now provides the date when a grace period expires. An expired grace period causes the finding to fail the policy associated with the application. Veracode calculates the date based on the First Found or Last Reopened date, whichever is more recent.
Account Lock Does Not Trigger Email to Administrator
  • To prevent redundant notifications, Veracode no longer sends an email to Administrators in the Veracode Platform when users in their organization are locked out of their accounts. This email is now unnecessary because users can unlock their own accounts.

March 3, 2020

Improved Developer Sandbox Scanning and Added Expiration Date

Veracode has made these improvements to developer sandboxes:

  • You can now perform up to ten sandbox scans simultaneously for a single application. Before starting additional scans, you must wait for at least one running scan to complete.
  • The sandbox list in the application profile now shows all sandboxes in the application that have running scans.
  • All sandboxes now have an expiration date. After a sandbox reaches its expiration date, you can no longer perform scans in it. Seven days after the expiration date, the Veracode Platform automatically removes the sandbox. All data about the removed sandbox is available from Veracode Analytics. You can use the re-create option to have the Veracode Platform automatically create a new sandbox with the same name as a previously-removed sandbox.
Applications REST API Adds Policy Compliance Information
  • Veracode has improved the Applications REST API to include information about the policy compliance of the application.
Executive Summary in Customizable Report PDF Includes Informational Findings
  • The executive summary in the downloadable PDF of the Customizable Report now shows informational findings. The informational findings provide information that can help you ensure your application meets policy compliance.
Email Notifications for eLearning Curriculum Due Date Changes
  • eLearning administrators can now send emails to notify students and their managers when the due date for an assigned curriculum changes. They can also send emails to notify managers when a due date on a curriculum has passed and students have not completed the curriculum.

February 21, 2020

New JavaScript eLearning Courses

Veracode eLearning has released a new set of secure coding courses for JavaScript:

  • Secure Coding for JavaScript - Authentication & Authorization
  • Secure Coding for JavaScript - Configuration and Deployment
  • Secure Coding for JavaScript - Data Protection
  • Secure Coding for JavaScript - Information and Error Handling
  • Secure Coding for JavaScript - Validation and Encoding

These courses cover application security practices and associated vulnerabilities, including the OWASP Top Ten, and secure coding techniques in JavaScript, including using the AngularJS and ReachJS frameworks.

February 19, 2020

Updated Look-and-Feel with New Veracode Branding
  • Veracode has updated the look-and-feel of the Veracode Platform with new branding.

January 28, 2020

Updates to Sandbox Functionality

Veracode has implemented these changes to improve the performance of sandbox scans:

  • You can delete a sandbox and all of its scans when you promote it to policy.
  • You may have a maximum number of sandboxes you can create for each application. The default limit is 25.
Automated Emails for eLearning Curriculum Updates
  • Veracode eLearning administrators can turn on automated email notifications to alert eLearning students and managers when the administrator assigns a curriculum to a student.

January 24, 2020

New Video - Create a Custom Policy in the Veracode Platform
  • This video shows you how to create a custom policy in the Veracode Platform.

January 13, 2020

SCA Findings Dashboard Available in Analytics
  • Veracode Analytics has a new dashboard that provides Software Composition Analysis (SCA) findings on open vulnerabilities, license risk, issue severities, and library data. Veracode Analytics does not currently display findings from agent-based scans.

January 8, 2020

New Video - Review Scan Results
  • This video shows you how to view Veracode scan results in the Veracode Platform.

January 2, 2020

SCA Findings Available in Veracode Analytics
  • Veracode Analytics now provides details about Software Composition Analysis (SCA) findings. If you have an SCA subscription, you can view SCA vulnerabilities displayed in the Findings Status & History dashboard and the Resolution and Mitigation Details dashboard.

  • Veracode Analytics does not currently display findings from agent-based scans.

Software Composition Analysis

View the list below for highlights of previous releases.

December 17, 2020

Container Scanning for Debian
  • Veracode Software Composition Analysis now supports agent-based scans of Debian Docker containers. You can scan Debian containers through the command-line interface or as part of your continuous integration pipelines.

October 15, 2020

Set Default Branch to the Most Recently Scanned Branch or Tag
  • You can now set your Veracode Software Composition Analysis projects to automatically update their default branch to be the most recently scanned branch or tag. This enhancement enables the use of tags as default branches and reduces the number of issues that display in the Veracode Platform, by default.

  • Existing projects without a default branch selected in their project settings now use the Use Last Scanned option as the default branch.

October 13, 2020

Vulnerable Method Support for JavaScript
  • Veracode Software Composition Analysis supports vulnerable method analysis for agent-based scans of JavaScript applications. This feature helps prioritize your remediation actions by identifying first-party code that calls a function in a JavaScript library that makes the library vulnerable.

October 1, 2020

Container Scanning for Ubuntu
  • Veracode Software Composition Analysis now supports agent-based scans of Ubuntu Docker containers. You can scan Ubuntu containers through the command-line interface or as part of your continuous integration pipelines.

September 26, 2020

Grace Periods for SCA Policy Rules
  • Veracode Software Composition Analysis now allows you to include grace periods for SCA upload scans in your application security policies. You can define a grace period for all scan types, including SCA, or define a grace period that applies specifically to SCA scans.

July 17, 2020

Default Date Limit Applied to Scan Data in Agent-Based Scan Workspaces
  • To improve performance and usability, the scan data for your workspaces is now limited to projects scanned in the last 30 days, by default. You can change the time window of exported projects on the workspace page in the Veracode Platform.

July 7, 2020

Advanced License Risk Management for Agent-Based Scans
  • Veracode Software Composition Analysis now provides advanced license risk management capabilities for agent-based scans. You can control the acceptable risk from open-source libraries by adding rules based on Veracode license risk ratings or by rejecting specific licenses.

June 17, 2020

New API Endpoints for Agent Management
  • The Veracode SCA Agent REST API includes new endpoints for creating and deleting agents. This update enables you to more effectively scale your agent administration and improve productivity with agent-based scans.

May 28, 2020

Issue Summary for Agent-Based Scans
  • Veracode Software Composition Analysis now provides a summary table on each agent-based scan workspace and project page that provides a quick view of the state of your open-source issues.

April 29, 2020

Vulnerability Database Update
  • The Veracode Vulnerability Database is updated to resolve a discrepancy in severity rating compared to the National Vulnerability Database (NVD) for approximately 200 of over 20,000 total vulnerabilities. Veracode has already contacted all organizations that have applications that fail policy as a result of this update.

  • If your Veracode account manager has not contacted you, you do not need to take any action.

April 6, 2020

Alpine Linux Support for Agent-Based Scans
  • Veracode Software Composition Analysis (SCA) now supports the Alpine Linux distribution for agent-based scans.
Organization Rules for Agent-Based Scans
  • Veracode Software Composition Analysis (SCA) now supports configuring rules for agent-based scans at the organization level. Administrators can apply these rules to all workspaces in an organization to efficiently enforce a common security standard.

April 3, 2020

New API Endpoint for Auditing Agent-Based Scan Events
  • The Veracode SCA Agent REST API includes a new endpoint that provides a detailed audit of events for agent-based scans.

March 17, 2020

License Risk Details for Agent-Based Scans
  • Veracode Software Composition Analysis (SCA) provides the license risk rating of each open-source license type identified in agent-based scans to help you make informed decisions about acceptable risk.
Gem Support for Containers
  • Agent-based scans now support the gem package manager for scanning Docker containers.

March 16, 2020

New Video - Set Up an Agent to Scan with Veracode Software Composition Analysis

This video shows you how to:

  • Create a workspace
  • Set up an agent
  • Start a scan from your command line
  • View scan results

March 9, 2020

ISM endpoint 20.3.5
  • The endpoint installer supports client-side Java and 32-bit Java.
  • The endpoint installer supports proxy gateway-only property.
  • The endpoint supports running diagnostics through a DSE tunnel.
  • The endpoint supports new advanced diagnostics options.
  • Consolidated direct diagnostic options and diagnostics options that run through a DSE tunnel.
  • The ISM service from the Windows installer runs under the less privileged LocalService account instead of LocalSystem.
  • Proxy configuration in the installer no longer requires web access to veracode.com.
  • Resolved issue with property merge in the endpoint installer.
  • Improved endpoint memory management and out of memory protection.

February 13, 2020

NPM and Pip Support for Containers
  • Agent-based scans now support the NPM and pip package managers for scanning Docker containers.

January 29, 2020

Update to Integrated SCA Upload and Scan
  • If you use Veracode Integrated Software Composition Analysis without a Veracode Static Analysis subscription, you can now perform scans using the upload and scan method.
SCA Results Export
  • You can now generate and download your latest Software Composition Analysis results from the Export Data page in the Veracode Platform at any time. This report does not include data from agent-based scans.

January 24, 2020

New Video - Upload and Scan with Veracode Software Composition Analysis
  • This video shows you how to upload and scan applications with Veracode Software Composition Analysis.

January 15, 2020

Get Teams List with the SCA Agent REST API
  • The Veracode SCA Agent REST API for Veracode Agent-Based Scan now supports retrieving a list of the teams in an organization, including filtering by the full or partial team name.