You are tasked with ensuring that critical applications soon to hit production are secure. As an application owner, you meticulously configure a dynamic scan with features you wish to enable for your scan, crawl scripts, login scripts, whitelisting and blacklisting of specific sites, and you kick off a scan. The scan runs for a few days. But the production deadline is looming, and your developers have already worked hard to fix many of the bugs that were identified by the dynamic scanner in previous scans. Your team is in a tight SDLC timeframe and doesn’t have three days to rescan the application, when you had just run a full scan days ago.   

Does this sound familiar?

You shouldn’t have to run a full scan on an application that was very recently scanned, just to check if the flaws have been fixed. What you need is the ability to quickly retest the vulnerabilities that the previous full scan had identified. Dynamic retesting is a capability that can help with quick retesting of previously identified vulnerabilities.

The first benefit to dynamic retesting is time savings. By quickly retesting vulnerabilities without performing a full crawl and audit, you increase speed, agility and ultimately savings to the bottom line.

But dynamic retesting is by no means a one-trick pony. Let me walk you through a second use case. 

As a security lead, your job is to ensure the applications from your organization are periodically scanned using the dynamic scanner of choice. You have arrived at a cadence of running the scans monthly. Last month’s scan revealed a number of vulnerabilities that you had meticulously provided to the application owners. The developers got to work and fixed many of the vulnerabilities. In addition, they also updated parts of the web application, making it more user friendly, and added a few bells and whistles. The next scan that you perform will result in many different vulnerabilities and may not match the patterns that you had seen before. This results in an issue of scan consistency, where the only option would be to manually verify flaw differences between scans. 

How do you attack this issue? 

The second benefit to dynamic retesting is better scan-over-scan consistency. Dynamic retesting can be prepended to an existing full scan workflow, to ensure previously found vulnerabilities are re-assessed automatically in the next full scan.

In the end, with dynamic retesting, you streamline security assessments, don’t slow down developers and help produce more secure code more quickly. 

About Bhavna Sarathy

Bhavna Sarathy is a Principal Product Manager at Veracode leading the Web Application Security product line, driving business and product strategy. Bhavna has over 15 years of experience in commercial software design and development and 6 years in product management, and product strategy. Bhavna has steadily moved up the software stack with experience in operating system, virtual & container infrastructure, cloud, web applications, application perimeter monitoring and application security testing. Bhavna is skilled at building new products that delight security conscious customers, and adept at driving cross functional teams towards common product portfolio goals.

Comments (1)

Jessica Cain | August 24, 2016 12:53 am

Thanks for sharing the post Bhavna.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.