Skip to main content

Dynamic Analysis updates - Commercial

· 6 min read

The updates on this page apply to the following Veracode Dynamic Application Security Testing (DAST) features in the Commercial Region:

May 9, 2023

ISM Endpoint 23.5.0

Added executable scripts that update the JAVA_HOME path for the endpoint.

April 25, 2023

ISM Endpoint 23.4.2

  • The endpoint now supports environments where the target host is on the same host as the client.
  • Source code files now include a copyright header.

February 27, 2023

Set URL Scan Settings at the Organization Level

You can now use the Dynamic Analysis REST API to set URL scan settings for all analyses and scans in an organization.

February 17, 2023

New Manual Resume Feature for Paused Analyses

Veracode Dynamic Analysis adds a new feature that enables you to manually resume a scheduled analysis from a paused state. This feature is only available upon request. To add this feature to your account, contact Veracode Technical Support.

January 20, 2023

Renamed URL Scan Status Messages

Veracode has renamed and changed the descriptions for the following URL scan status messages for Dynamic Analysis. The new names more accurately describe the issues that caused these status messages to appear in the Veracode Platform.

  • Killed - Partial Results Available is now Lockout - Partial Results Available.
  • Killed - Verifying Partial Results is now Lockout - Verifying Partial Results.

December 19, 2022

ISM Endpoint 22.12.3

  • Fixed an endpoint issue that caused threads to lock up until the ISM tunnel closes.
  • Improved endpoint logging that Veracode Technical Support can use for troubleshooting.

October 18, 2022

API Scanning Adds Support for Scriptable Request Modification

Veracode API Scanning adds a new option for using JavaScript to modify an HTTP request, at runtime, when authenticating with a remote host.

October 5, 2022

New Similarity Threshold for Web Applications

When configuring an analysis of a web application, you can now set a threshold for ignoring similar web pages during the analysis.

September 7, 2022

Dynamic Analysis Now Creates Screenshots for Consecutive Login Failures

The Veracode scan engine now creates a verification screenshot if it is unable to log in to a target application after 50 attempts. The screenshot image shows when and where in the scanning process the failed login attempts occurred. You can use this information for troubleshooting.

August 2, 2022

New Historical Details for Dynamic Analyses and Scans

You can now view detailed information about all past occurrences of both a dynamic analysis and its scans.

May 18, 2022

Re-Enabled Pause and Resume for Scheduled Analyses

When scheduling a Dynamic Analysis, you can now set it to pause and resume scanning at specific days and times. Veracode disabled this option on October 7, 2021.

April 28, 2022

New Status Messages for Partial Scan Results

Dynamic Analysis now provides status messages that indicate when Veracode is verifying partial results and when partial results are available for review. Partial results can occur when a scan stops prematurely due to:

  • Errors during scanning
  • Users stopping the scan early
  • The scan exceeding its configured duration

March 23, 2022

API Scanning Adds Support for OpenID Connect to OAuth 2.0

Veracode API Scanning adds a new option to specify an OpenID Connect URL when configuring OAuth 2.0 authentication.

March 10, 2022

Dynamic Analysis Adds Support for Concurrent Browsers Running Dynamic Analysis Scans

Veracode Dynamic Analysis now supports concurrent browsers for running multiple Dynamic Analysis scans at the same time. When configuring a web application scan, you can specify up to 12 concurrent browsers.

March 8, 2022

API Scanning Adds OAuth 2.0 Authentication and Analysis History Options

Veracode API Scanning includes these changes:

  • New option to configure OAuth 2.0 authentication for the API endpoints in your API specifications. You can select to use either the Client Credentials or Password Credentials grant type.
  • New Associated Analysis field on the API Specification Details page for a given API specification. This field provides options for viewing, reconfiguring, and rerunning previous scans.

March 3, 2022

Dynamic Analysis Now Detects Log4j Vulnerability CWE-115

Veracode Dynamic Analysis can now detect Log4j vulnerability CWE-115 when scanning web applications or API specifications.

February 4, 2022

Updated Dynamic Analysis Scan Engine

The Dynamic Analysis scan engine includes these updates:

  • Updated Chromium to version 98.0.4758.80
  • Log4j security updates
  • Improved connectivity when authenticating with Veracode
  • Fix for insecure cookies that prevented flaw matching

January 25, 2022

ISM Endpoint 22.1.10

  • Endpoint upgraded to Log4j 2.17.1 to address security findings.
  • Improved thread management for connection stability.
  • Advanced memory usage diagnostics.

December 21, 2021

ISM Endpoint 21.12.13

  • Endpoint upgraded to Log4j 2.17 to address known vulnerabilities CVE-2021-44228 and CVE-2021-45046.
  • Additional libraries upgraded to address security findings.

August 10, 2020

ISM Endpoint 20.8.5

  • Endpoint now supports not resolving the hostname when accessing the ISM gateway via proxy. This support enables you to only allow the gateway hostname for outbound HTTPS calls.
  • Endpoint now supports not resolving the hostname when accessing scanned URLs via proxy. This support simplifies proxy configuration if you do not want to access external sites, such as Okta, during the scan.
  • Improved interface for configuring a proxy for the endpoint installer.
  • Endpoint installer supports configuring hostname resolution properties.
  • Java WebSocket library for the endpoint upgraded to version 1.5.1.
  • Endpoint supports specifying non-default network interface via endpoint properties, including the option to see a list of available network interfaces.
  • Endpoint process name on Linux includes a Veracode identifier.
  • Improved endpoint logging.

March 9, 2020

ISM Endpoint 20.3.5

  • Endpoint installer supports client-side Java and 32-bit Java.
  • Endpoint installer supports proxy gateway-only property.
  • Endpoint supports running diagnostics through a DSE tunnel.
  • Endpoint supports new advanced diagnostics options.
  • Consolidated direct diagnostic options and diagnostics options that run through a DSE tunnel.
  • The ISM service from the Windows installer runs under the less privileged LocalService account instead of LocalSystem.
  • Proxy configuration in the installer no longer requires web access to veracode.com.
  • Resolved issue with property merge in the endpoint installer.
  • Improved endpoint memory management and out of memory protection.