/oct 31, 2019

Automate Dynamic Analysis Scans With New REST APIs

By Bhavna Sarathy

In today’s fast-paced, technology-driven world, security breaches have become an increasingly important priority for organizations; however, ensuring that your organization remains as secure as possible can be like trying to hit a moving target. One of the most common attack vectors that results in a breach is insecure web applications. Dynamic Application Security Testing (DAST) is one of the best ways to identify and remediate exploitable vulnerabilities in your web applications and reduce your risk of a breach.

With a shift towards DevOps and more rapid releases, the easiest way to accomplish DAST scanning is through automation. This allows developers and security teams to automatically kick off DAST scans directly from the tools they already use. The Veracode Dynamic Analysis REST APIs enable our customers to automate the core functionality of the solution within their chosen development and security processes. Specifically, the REST APIs enable development teams to build their own integrations to create, configure, schedule, run, and link their results back to the application profile, which can aggregate their scan results across multiple assessment types. This means that development teams can kick off and return DAST scan results without ever needing to leave their unique workflows and development environments. The REST APIs coupled with faster scan times even allow customers to integrate DAST scanning as a non-release blocking post-build action as a part of their CI/CD.

Veracode’s YAML and Swagger files leverage these APIs to make it easy to integrate Veracode Dynamic Analysis into your SDLC, ensuring that they can be broadly leveraged regardless of the development tool. For further information on the Veracode APIs, visit the Veracode Help Center.

How to automate dynamic application scanning

DAST scans take longer to return scan results than static analysis testing because they need to crawl and attack the live application the way an attacker would without bringing down the application. Due to this crawl-and-audit scanning process, DAST solutions can seem less DevOps friendly than other assessment types. This can result in push back from development teams when they are asked to include DAST scanning every time the pipeline runs.

The Veracode Dynamic Analysis REST APIs help address some of this push back. Now, instead of needing to take a separate step to initiate a DAST scan, development teams can integrate Veracode Dynamic Analysis into their SDLC or parallel security process and automatically kick off scans.

There are several approaches you can take to automate DAST scanning with the Veracode Dynamic Analysis APIs:

100% API Driven: This is a very flexible approach made for teams that have a high level of comfort with writing custom scripts and using APIs for automation. This approach allows customers to use Swagger documentation, JSON templates, and possibly sequential API calls to drive intended code, configuration, and scan reuse behavior.

UI Configured, API Scheduled: This hybrid model allows customers to configure their scans within the Veracode Dynamic Analysis UI and then leverage that configuration when setting up automation through the APIs. This enables customers to validate their configuration with prescan prior to integrating with the APIs and allows for more trial and error.

Below is an example of a recurring scan that starts every Friday, and the schedule expires after two instances.

Below is an example of a scan with Pause and Resume for black out period between 9-11pm.

Below is an example of how to set up Auto Login for authenticated scans.

Scan applications on private networks with Internal Scanning Management (ISM)

It’s best practice to carry out dynamic analysis scans before an application is released to production and then regularly when it’s in production to ensure that there are no new exploitable vulnerabilities in the application. The first round of scanning therefore must take place either during the test or QA phases of deployment, but often these environments are not reachable from the Internet as they are behind the firewall. The only way to automate DAST scanning in the CI/CD is to conduct a behind-the-firewall scan. Additionally, some applications, such as those that are used for financial operations and HR purposes or applications that contain sensitive, highly regulated data, always live behind a firewall as an added layer of security. Unfortunately, if the firewall is compromised, these applications can still be at risk of a breach if not regularly scanned.

Veracode Dynamic Analysis leverages Internal Scanning Management (ISM) to access applications behind the firewall. ISM establishes a secure connection to Veracode’s cloud and the network segment that hosts the target application. Unlike on-premise scanning appliances that typically have a one-to-one relationship between appliance and application, Veracode Internal Scanning Management allows organizations to scan multiple internal applications through a single endpoint. Additionally, this model does not require operational maintenance because all scan engine updates are carried out within the Veracode Platform. The Veracode Dynamic Analysis REST APIs allow for customers to automate internal scanning. Once a customer has set up ISM within the Veracode Dynamic Analysis UI, APIs can leverage the gateway and endpoint IDs to automatically kick off DAST scans on applications that live behind the firewall.

Why DAST: find exploitable vulnerabilities other assessment types overlook

When you go to your doctor for an annual checkup, she conducts several tests on you. Taking your temperature won’t surface issues with your liver, and a blood test won’t find a broken bone. Similarly, a comprehensive application security program needs several assessment types for due diligence of high-risk applications.

Dynamic analysis instruments a browser to actively attack the running application. As such, the vulnerabilities it finds are provably exploitable and not merely theoretical based on analyzing the source code, which reduces false positives. Dynamic analysis is also the only assessment type that can find security misconfigurations on the server because it assesses the running instance rather than the code. In a nutshell, one assessment type only gives you a partial understanding of your application risk; the only way to ensure that you have broad security coverage of your applications is to scan with multiple assessment types across your software development lifecycle.

Regardless of which combination of scanning technologies your team leverages, automating scanning ensures broader adoption of security testing among development and security teams. Veracode Dynamic Analysis’ REST APIs provide added flexibility for organizations to include DAST scanning in development and existing security processes by reducing the time teams must spend uploading, configuring, scheduling, and kicking off scans, ultimately helping our customers reduce their overall risk of a breach. For more information, please visit the Veracode Help Center or the Veracode Community.

Related Posts

By Bhavna Sarathy

Bhavna Sarathy is a Principal Product Manager for the Veracode Web Application Scanning product line. Bhavna was instrumental in building the new Veracode Dynamic Analysis as the lead Product Manager, translating vision to execution. Bhavna enjoys building new products that delight security-conscious customers, and is adept at driving cross-functional teams toward common product portfolio goals. Bhavna has 20+ years experience in IT commercial software and 8+ years in product management and strategy. Bhavna holds masters' degrees in Computer Science and Electrical Engineering from The Ohio State University.