HackerSecret.com - The Most Authoritative Site in the World on the Hacking Tools and Techniques, Penetration Testing and CyberSecurity

  • Home
  • Visit Our Shop
  • Download the free App
  • Contact us for Info
VISIT OUR SHOP! CLICK HERE !

Automate Dynamic Analysis Scans With New REST APIs

by / Saturday, 09 November 2019 / Published in Hacking
Share
Tweet
Pin
0 Shares

In today’s fast-paced, technology-driven world, security breaches have become an increasingly important priority for organizations; however, ensuring that your organization remains as secure as possible can be like trying to hit a moving target. One of the most common attack vectors that results in a breach is insecure web applications. Dynamic Application Security Testing (DAST) is one of the best ways to identify and remediate exploitable vulnerabilities in your web applications and reduce your risk of a breach.

With a shift towards DevOps and more rapid releases, the easiest way to accomplish DAST scanning is through automation. This allows developers and security teams to automatically kick off DAST scans directly from the tools they already use. The Veracode Dynamic Analysis REST APIs enable our customers to automate the core functionality of the solution within their chosen development and security processes. Specifically, the REST APIs enable development teams to build their own integrations to create, configure, schedule, run, and link their results back to the application profile, which can aggregate their scan results across multiple assessment types. This means that development teams can kick off and return DAST scan results without ever needing to leave their unique workflows and development environments. The REST APIs coupled with faster scan times even allow customers to integrate DAST scanning as a non-release blocking post-build action as a part of their CI/CD.

Veracode’s YAML and Swagger files leverage these APIs to make it easy to integrate Veracode Dynamic Analysis into your SDLC, ensuring that they can be broadly leveraged regardless of the development tool. For further information on the Veracode APIs, visit the Veracode Help Center.

How to automate dynamic application scanning

DAST scans take longer to return scan results than static analysis testing because they need to crawl and attack the live application the way an attacker would without bringing down the application. Due to this crawl-and-audit scanning process, DAST solutions can seem less DevOps friendly than other assessment types. This can result in push back from development teams when they are asked to include DAST scanning every time the pipeline runs.

The Veracode Dynamic Analysis REST APIs help address some of this push back. Now, instead of needing to take a separate step to initiate a DAST scan, development teams can integrate Veracode Dynamic Analysis into their SDLC or parallel security process and automatically kick off scans.

There are several approaches you can take to automate DAST scanning with the Veracode Dynamic Analysis APIs:

100% API Driven: This is a very flexible approach made for teams that have a high level of comfort with writing custom scripts and using APIs for automation. This approach allows customers to use Swagger documentation, JSON templates, and possibly sequential API calls to drive intended code, configuration, and scan reuse behavior.

UI Configured, API Scheduled: This hybrid model allows customers to configure their scans within the Veracode Dynamic Analysis UI and then leverage that configuration when setting up automation through the APIs. This enables customers to validate their configuration with prescan prior to integrating with the APIs and allows for more trial and error.

Below is an example of a recurring scan that starts every Friday, and the schedule expires after two instances.

DAST_recurring_scan.png

Below is an example of a scan with Pause and Resume for black out period between 9-11pm.

Pause_and_Resume_DAST_scan.png

Below is an example of how to set up Auto Login for authenticated scans.

authenticated_DAST_scan.png

Scan applications on private networks with Internal Scanning Management (ISM)

It’s best practice to carry out dynamic analysis scans before an application is released to production and then regularly when it’s in production to ensure that there are no new exploitable vulnerabilities in the application. The first round of scanning therefore must take place either during the test or QA phases of deployment, but often these environments are not reachable from the Internet as they are behind the firewall. The only way to automate DAST scanning in the CI/CD is to conduct a behind-the-firewall scan. Additionally, some applications, such as those that are used for financial operations and HR purposes or applications that contain sensitive, highly regulated data, always live behind a firewall as an added layer of security. Unfortunately, if the firewall is compromised, these applications can still be at risk of a breach if not regularly scanned.

Veracode Dynamic Analysis leverages Internal Scanning Management (ISM) to access applications behind the firewall. ISM establishes a secure connection to Veracode’s cloud and the network segment that hosts the target application. Unlike on-premise scanning appliances that typically have a one-to-one relationship between appliance and application, Veracode Internal Scanning Management allows organizations to scan multiple internal applications through a single endpoint. Additionally, this model does not require operational maintenance because all scan engine updates are carried out within the Veracode Platform. The Veracode Dynamic Analysis REST APIs allow for customers to automate internal scanning. Once a customer has set up ISM within the Veracode Dynamic Analysis UI, APIs can leverage the gateway and endpoint IDs to automatically kick off DAST scans on applications that live behind the firewall.

Why DAST: find exploitable vulnerabilities other assessment types overlook

When you go to your doctor for an annual checkup, she conducts several tests on you. Taking your temperature won’t surface issues with your liver, and a blood test won’t find a broken bone. Similarly, a comprehensive application security program needs several assessment types for due diligence of high-risk applications.

Dynamic analysis instruments a browser to actively attack the running application. As such, the vulnerabilities it finds are provably exploitable and not merely theoretical based on analyzing the source code, which reduces false positives. Dynamic analysis is also the only assessment type that can find security misconfigurations on the server because it assesses the running instance rather than the code. In a nutshell, one assessment type only gives you a partial understanding of your application risk; the only way to ensure that you have broad security coverage of your applications is to scan with multiple assessment types across your software development lifecycle.

Regardless of which combination of scanning technologies your team leverages, automating scanning ensures broader adoption of security testing among development and security teams. Veracode Dynamic Analysis’ REST APIs provide added flexibility for organizations to include DAST scanning in development and existing security processes by reducing the time teams must spend uploading, configuring, scheduling, and kicking off scans, ultimately helping our customers reduce their overall risk of a breach. For more information, please visit the Veracode Help Center or the Veracode Community.

RSS | Veracode Blog

Share
Tweet
Pin
0 Shares
Tagged under: Analysis, APIs, Automate, Dynamic, REST, Scans

Click here now to visit our Shop!

Click here now to visit our Shop!

Other 2300 users like you have already done it this year!

Choose the product you need here!

  • THE FIRST TRUE ANDROID SMARTPHONE FOR HACKING WITHOUT ROOT UNIQUE IN THE WORLD WITH ALL THE APPS !!! 499,99€ 249,99€
  • HACKER LIBRARY THE LARGEST COLLECTION OF BOOKS AND MANUALS ON HACKING + 100 !!! 99,99€ 49,99€
  • HACK SOCIAL THE GUIDE TO HACK ALL THE SOCIAL ACCOUNTS 99,99€ 49,99€
  • HACKER PACK FOR YOUR SMARTPHONE AND YOUR TABLET WITH ROOT GUIDE AND + 100 PROGRAMS !!! 99,99€ 49,99€
  • THE FIRST TRUE ANDROID SMARTPHONE FOR HACKING UNIQUE IN THE WORLD WITH ALL THE APPS !!! 599,99€ 299,99€
  • HACKER PACK FOR YOUR COMPUTER AND NOTEBOOK + 1000 PROGRAMS 5 GB OF STUFF !!! 99,99€ 49,99€

Our customers say

Annabel M. – Systems Engineer

 
Samuel D. – Ethical Hacker

 
Karola M. – Influencer

 
Marcus P. – Private Investigator

 
Rosemary S. – Housewife

 
Amit V. – IT Consultant

 
Matthew C. – Entrepreneur

 
Aisha B. – Computer Science student

 
Li W. – IT Analyst

 
Robert C. – Programmer

 

DOWNLOADED 1316 TIMES!

DOWNLOADED 1316 TIMES!

Download now Hacker Secret our free Android app.

CONTACT US NOW FOR IMMEDIATE SUPPORT!

Contact Us
Write your email address here
Write here how we can help you - we support you immediately for all your needs!

## Are you looking for products for hacking, computer security and penetration testing? Do you need to clean up your smartphone, your PC or your site from viruses and malware? Do you need to track down someone or retrieve urgent information? Do you want to buy devices already configured to experiment all the hacking techniques quickly and easily? Do you have special needs in software or hardware? ##

Contact us now … another 2300 users like you have already done it this year!

Click here now!

 

Search on the site

Latest posts

  • Veracode CEO on the Relationship Between Security and Business Functions: Security Can’t Be Effective in a Silo

  • Half a million stolen French medical records, drowned in feeble excuses

  • Google looks at bypass in Chromium’s ASLR security defense, throws hands up, won’t patch garbage issue

  • Announcing Veracode in AWS Marketplace: Streamlining Secure Software Development for AWS Customers

  • Imperva pretty adamant that security analytics aggregator product Sonar is not ‘one dashboard to rule them all’

All the techniques, products and services described or contained on this site are intendend for exclusive use of study and professional training and to test the security of own's computer network in accordance with the national legislations on access to computer and online systems. All the services provided on this site (penetration testing, social accounts hardening, Incident Response & CSIRT, MSSP, Cybersecurity Consultancy, etc.) can be provided only with prior written and documented authorization from the owners or their legitimate representatives in accordance with current national regulations .

TOP