As an application owner, you have the task of staying abreast of the security issues in critical applications soon to hit production. You need a workflow that allows you to quickly identify that vulnerabilities identified in a full dynamic scan have been addressed by development. You also have to produce a report to the business listing the vulnerabilities that have been addressed and those that are still pending. This allows the business to make critical decisions on whether the application is ready for production or needs more work. You need a dynamic solution that provides a user-friendly workflow that retests previously found vulnerabilities in a fraction of the time it takes to run a full scan with crawl and audit.
As a product manager, I have had numerous conversations with application owners and security leads. Many of you have been forthcoming about new feature requests, the security challenges you face within your company and how CA Veracode Web Application Scanning solution can help. One such request has been a dynamic rescanning feature to help security keep up with the speed of development. We heard your request and implemented the Dynamic Vulnerability Rescan feature to help quickly retest previously found vulnerabilities.
Let me walk you through the steps to use Dynamic Vulnerability Rescan:
After the first CA Veracode DynamicDS scan of an application, go to the flaw inventory in the left navigation pane to see the vulnerabilities CA Veracode found.
You will notice that the inventory populates after the very first full scan, and the vulnerabilities found will be tagged as New. With subsequent rescans, the status changes depending on whether a vulnerability remains open, has been fixed or could not be reproduced.
The vulnerabilities are categorized as:
Using the dynamic flaw inventory, you now have a good handle on which vulnerabilities have been fixed and those that are still open and need to be rescanned. You can now choose to perform a rescan of the vulnerabilities that have been previously found without running a full crawl and audit.
To rescan an application:
Step 1: From the application overview page, select Rescan from the action dropdown menu.
Step 2: From the Scan Options menu, select flaw-only rescan to test previously found vulnerabilities.
Step 3: Click Run Prescan now
This process kicks off the flaw-only rescan, which you can run immediately or schedule for a future date. Once this scan finishes, the status of each vulnerability gets updated to show you vulnerabilities that have been fixed and those that remain open. The Dynamic Vulnerability Rescan feature provides you with an accurate status in the dashboard in hours, not days, allowing you to quickly provide vulnerability feedback to developers and provide the state of the application to the business.
Is this feature useful for your everyday work? I would love to hear your thoughts on this feature.
As a CA Veracode customer, you can now drastically reduce the time it takes to run a dynamic scan on your application. The feature was just made available to you in CA Veracode DynamicDS.
If you are not yet a CA Veracode customer and are interested in web application scanning solutions, we would love to show you a platform demo.