Veracode’s Manual Penetration Testing

Veracode’s MPT Methodology

All Veracode Manual Penetration Testing is performed according to industry-standard testing methodologies where applicable. The following table describes what testing methodology is used by test type and vulnerability types for manual penetration tests:


Test Type



Web Application/API

OWASP Testing Guide

OWASP Top 10/SANS Top 25

Mobile Application

OWASP Mobile Security Testing Guide

OWASP Mobile Top 10

Desktop or Thick-Client Application

OWASP recommended testing guidance and best practices

  • Application Logic
  • Code Injection
  • Local Storage
  • Binary Exploitation and Reverse Engineering
  • Excessive Privileges
  • Unencrypted Storage of Sensitive Information
  • Unencrypted Transmission of Sensitive Information
  • Weak Encryption Implementations
  • Weak Assembly Controls
  • Weak GUI Controls
  • Weak or Default Passwords

Internet of Things (IoT) and Embedded Systems

OWASP IoT Testing Guide and other industry best practices

OWASP IoT Top 10

Infrastructure and Operations (DevOps Penetration Testing)

PTES (Penetration Testing Execution Standard), NIST SP 800-115, PCI DSS 11.3 (for PCI engagements)

Can vary depending on scope and rules of engagement

For more information on Veracode Manual Penetration Testing visit the Veracode Help Center.

Time-Boxed Testing

Veracode’s Time-Boxed Manual Penetration Testing service will test as much of the application as possible within the number of days purchased. Veracode’s Penetration Tester’s will follow testing methodologies noted in the table above. Vulnerabilities from Veracode Static and/or DynamicDS scans that have been previously reported in the Veracode Platform, will be leveraged during Manual Penetration Testing if available to the Penetration Tester.

In cases where time is overly constrained Veracode will focus on providing the most value for the time allotted. For smaller applications, less time may be needed to cover a majority of vulnerabilities, while other larger applications may require additional time. For this reason, Veracode Penetration Testers may choose to tailor the methodology to focus on higher priority, business relevant flaws. For example, if a 3-day penetration test is purchased for a 500+ page application with complex business logic the tester may choose to focus more on finding representative examples of higher risk flaws such as injection, authentication, and authorization flaws. In contrast, if this were a 10-day engagement, the tester would be able to cover the entire methodology in more adequate depth.

Traditional Scoped Manual Penetration Testing

For customers that have purchased MPT which is scoped through a scoping questionnaire and scoping call, Veracode will perform testing according to the scoped number of days using information provided from the customer within the scoping questionnaire and from the scoping call. Please contact your Veracode Services or Sales representative for more details.

Manual Penetration Testing Engagement Process

Upon contract and paperwork completion MPT can be scheduled based on our current lead-times. Scheduling lead-time can vary throughout the year but expedited scheduling may be available. Contact your Veracode Services representative for more details about expedited scheduling. Five days prior to the scheduled start of the MPT, test logistics are required to be submitted to Veracode for validation. See the section below regarding logistics verification procedures for more information. The MPT report will be delivered 3-5 days after test completion in the Veracode Platform. After report delivery, customer can request a consultation call to discuss the Assessment findings. A retest (if purchased separately) can be scheduled for an Assessment previously performed by Veracode within the past 6 months.

Veracode Responsibilities

  1. Manual Penetration Testing will be provided remotely.
  2. Assess the extent of access or impact to the Customer’s application by attempting to exploit identified vulnerabilities to gain access to confidential, proprietary or other data.
  3. Rank vulnerabilities using the Common Vulnerability Scoring System (CVSS v3).
  4. Perform internal Veracode review of the Assessment Report.
  5. Deliver a single unified view of the manual penetration Assessment results and any automated scanning results and the applicable generated reports through the Veracode Platform.
  6. Upon the customer’s request, Veracode will conduct a consultation call to:
    1. Discuss Assessment findings.
    2. Discuss tactical and strategic recommendations to address security issues and industry best practices.
  7. The request for a consultation call must be made in writing prior to the end of the Assessment.
  8. Veracode will not perform any denial of service testing or attacks during the course of the Assessment.
  9. Testing and identified vulnerabilities will be limited to the context of the user accounts supplied by Customer in the Veracode logistics documentation at the start of the Assessment.
  10. Veracode testing is generally conducted between 9:00AM EST and 8:00 PM EST; Veracode may conduct testing outside of this timeframe.  Customer may request testing outside of the normal testing window.  Any such request must be submitted via email to [email protected]. If such request is approved by Veracode, such off hours testing may be subject to additional fees.

Customer Responsibilities

  1. Customer will provide a minimum of three (3) valid user accounts with varying configured access based on user role, with one account being an administrator account capable of updating other accounts’ access.
  2. Customer is responsible for ensuring the instance/environment of Applications are available and functional for the entire duration of the project.
  3. If requested, Customer will provide a high-level architecture diagram of Applications and supporting infrastructure as well as any associated user documentation such as API references.
  4. Customer will provide a point of contact with availability during agreed upon testing windows for help troubleshooting issues impacting testing.
  5. All Assessment work is conducted remotely via an Internet accessible system or application environment.  If an Internet facing environment is unavailable, Customer shall make available VPN or other intranet/remote system access.
  6. Customer is responsible for disabling Veracode’s access to all Customer environments after Assessment results are available on the Veracode platform.
  7. Manual mitigations requested for findings from the Veracode MPT report must be submitted via email to [email protected]
  8. Customer is responsible for all expenses and liabilities related shipping of any device(s) required to support requested Assessment.
  9. For Customers who have purchased a set number of Assessment days for multiple Assessments, Veracode shall perform up to 3 Assessments per month.  Any Assessments in excess of 3 during a month will be scheduled on a best efforts basis.
  10. Any cancellation or rescheduling of Veracode resources by Customer within 10 days prior to the agreed upon scheduled start date may result in 50% of the services hours associated with such scheduled Assessment to be deemed to be used by Customer.  Any such cancelled assessment(s) will be rescheduled using best effort scheduling.

Pre-Assessment Logistics Verification Procedures

Customer will be required to complete a logistics worksheet and provide Veracode with any equipment that will be required for the Assessment at least 5 days prior to the scheduled start date of the Assessment.  Following receipt of the worksheet (and equipment, if applicable), within 5 business days before the scheduled start date for the Assessment, Veracode will attempt to validate the availability and connectivity of the Application or other access so that Veracode can begin the Assessment as scheduled. This verification includes, but is not limited to ensuring all of the following requirements have been met:

  • White-listing of Veracode's source IP address(es)
  • Test accounts for the Application(s) (usernames/passwords) are valid and working
  • URL(s) for Application(s) is/are accessible
  • VPN access (if applicable and required for Assessment)
  • Physical devices, laptop, virtual machines or other equipment is working and delivered to the Veracode personnel performing the Assessment (if applicable and required for Assessment)

Assessment Delays

If Veracode is unable to verify the above logistics at least 5 business days before the scheduled start date, the Assessment may be rescheduled to the next available test window. In addition, once an Assessment has been started, if Veracode resources are idle due to matters within the Customer’s control and not due to any action or omission of Veracode and such matters cause a delay in completion of the Assessment, Customer agrees that it may be responsible for payment equal to the number of additional days actually required to complete the Assessment.  For Customers who have purchased a set number of Assessment days for multiple Assessments, the number of hours associated with such delayed Assessment shall be deemed to include both the actual number of days required to complete the Assessment as well as the number of days that Veracode resources were idle, which may include additional days pulled forward from the subsequent month/period of the subscription term.