/aug 29, 2016

Introducing Dynamic Vulnerability Rescan: How Security Can Keep Up With the Speed of Development

By Bhavna Sarathy

As an application owner, you have the task of staying abreast of the security issues in critical applications soon to hit production. You need a workflow that allows you to quickly identify that vulnerabilities identified in a full dynamic scan have been addressed by development. You also have to produce a report to the business listing the vulnerabilities that have been addressed and those that are still pending. This allows the business to make critical decisions on whether the application is ready for production or needs more work. You need a dynamic solution that provides a user-friendly workflow that retests previously found vulnerabilities in a fraction of the time it takes to run a full scan with crawl and audit.

As a product manager, I have had numerous conversations with application owners and security leads. Many of you have been forthcoming about new feature requests, the security challenges you face within your company and how Veracode Web Application Scanning solution can help. One such request has been a dynamic rescanning feature to help security keep up with the speed of development. We heard your request and implemented the Dynamic Vulnerability Rescan feature to help quickly retest previously found vulnerabilities.

Benefits of the New Dynamic Vulnerability Rescan Feature

  • Veracode DynamicDS can rescan previously found vulnerabilities, providing a rapid workflow that saves time and effort and ensures scan-over-scan consistency.
  • This new feature provides high-level vulnerability reporting and helps an application owner report the remediation trends to the business. In addition, vulnerability rescanning provides developers with rapid feedback that the fixes are successfully remediated in the web application.
  • After you scan your application using Veracode DynamicDS, a dynamic flaw inventory provides a dashboard of the flaws found during the scan. The inventory updates each time you rescan the same application, providing a bird’s eye view of the status of all the flaws found in the application.

Let me walk you through the steps to use Dynamic Vulnerability Rescan:

Using the Dynamic Flaw Inventory

After the first Veracode DynamicDS scan of an application, go to the flaw inventory in the left navigation pane to see the vulnerabilities Veracode found.

Dynamic Flaw Inventory - Veracode Dynamic Rescan

You will notice that the inventory populates after the very first full scan, and the vulnerabilities found will be tagged as New. With subsequent rescans, the status changes depending on whether a vulnerability remains open, has been fixed or could not be reproduced.

The vulnerabilities are categorized as:

  • New: Veracode found these flaws in the most recent Veracode DynamicDS scan. During a rescan, it is possible that a new flaw is introduced while fixing a previous flaw found in the same location.
  • Open/Reopened: These previously discovered flaws are not fixed or were fixed but found again in a subsequent scan.
  • Cannot Reproduce: The Veracode DynamicDS scan engine was not able to reach the page where this flaw was previously found, due to network error, scan time completion or redirection.
  • Fixed: These flaws are now fixed.

Dynamic Flaw Inventory View

Dynamic Rescanning

Using the dynamic flaw inventory, you now have a good handle on which vulnerabilities have been fixed and those that are still open and need to be rescanned. You can now choose to perform a rescan of the vulnerabilities that have been previously found without running a full crawl and audit.

To rescan an application:

Step 1: From the application overview page, select Rescan from the action dropdown menu.

Choosing the Dynamic Rescan Function

Step 2: From the Scan Options menu, select flaw-only rescan to test previously found vulnerabilities.

Scan Options from the Dynamic Rescan View

Step 3: Click Run Prescan now

This process kicks off the flaw-only rescan, which you can run immediately or schedule for a future date. Once this scan finishes, the status of each vulnerability gets updated to show you vulnerabilities that have been fixed and those that remain open. The Dynamic Vulnerability Rescan feature provides you with an accurate status in the dashboard in hours, not days, allowing you to quickly provide vulnerability feedback to developers and provide the state of the application to the business.

 

I’d love to hear your feedback

Is this feature useful for your everyday work? I would love to hear your thoughts on this feature.

As a Veracode customer, you can now drastically reduce the time it takes to run a dynamic scan on your application. The feature was just made available to you in Veracode DynamicDS. 

If you are not yet a Veracode customer and are interested in web application scanning solutions, we would love to show you a platform demo.  

Related Posts

By Bhavna Sarathy

Bhavna Sarathy is a Principal Product Manager for the Veracode Web Application Scanning product line. Bhavna was instrumental in building the new Veracode Dynamic Analysis as the lead Product Manager, translating vision to execution. Bhavna enjoys building new products that delight security-conscious customers, and is adept at driving cross-functional teams toward common product portfolio goals. Bhavna has 20+ years experience in IT commercial software and 8+ years in product management and strategy. Bhavna holds masters' degrees in Computer Science and Electrical Engineering from The Ohio State University.