Dynamic analysis (DAST) is a vital part of all application security programs. Effective application security secures software throughout its entire lifecycle — from inception to production. With the speed of today’s development cycles — and the speed with which software changes and the threat landscape evolves — it would be foolish to assume that code will always be 100 percent vulnerability-free after the development phase. Code in production will always need to be tested or, in some cases, patched. Dynamic analysis plays an important role in ensuring that security spans from left to right in the SDLC.
Veracode provides dynamic scanning using a best-in-class engine that provides speed, accuracy of results, and scale. You can submit large batches of URLs for authenticated scans and expect results you can trust within a timeframe that matches your development cycles.
To ensure the most thorough coverage possible, you want authentication to go smoothly. Here are five key things to keep in mind to set yourself up for dynamic scanning success:
- Prescan: Always allow time to run a prescan to check your authentication and ensure your connection is stable.
- If you are using login scripts, always use Selenium IDE to create them.
- Schedule scans to occur when you know that the sites will be up (e.g., not during a maintenance window, or leverage the Pause & Resume feature), and when there is lighter traffic.
- If you want support for advanced frameworks (Angular, React) or single page applications, select the advanced mode option for scanning to ensure thorough coverage.
- Take advantage of app linking: You can link the results from a dynamic analysis to an application profile to evaluate the results against policy, and see the results for all types of scans of the application aggregated in a single report.
Learn more about Veracode Dynamic Analysis on our web site. Or, get more details on the above five tips on running dynamic scans in our Veracode Community, including how-to videos.