Web Applications continue to be one of the primary attack vectors that lead to breaches within organizations all over the world. As more and more organizations adopt DevOps and CI/CD workflows, there has been an added push to shift security testing to earlier stages in the software development lifecycle. Finding flaws earlier can save precious time as release cycles become faster, however, what happens once an application is running? With the ever-changing threat landscape that organizations function in today, even an application initially developed as securely as possible can become vulnerable over time as attackers uncover new ways to exploit weaknesses. Organizations that fail to test their running web applications risk missing exploitable vulnerabilities that could lead to a breach. In this webinar, product leaders from CA Veracode will discuss the importance of performing Dynamic Application Security Testing (DAST) on web applications during the testing and QA phases to catch exploitable vulnerabilities before release that static testing alone cannot find. They will also discuss how establishing a recurring schedule of DAST scans on your running web applications can help your organization discover new vulnerabilities and help you reduce your risk of a breach.

1. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.1

2. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.2
Market Overview – Application Security

3. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.3
The CA Veracode Portfolio
Code Commit Build Test Release Deploy Operate
CA Veracode Greenlight CA Veracode Static Analysis
CA Veracode Dynamic Analysis
CA Veracode Software Composition Analysis
Developer Training
Application Security Consulting
Security Program Management
CA Veracode Manual Penetration Testing
CA Veracode Discovery

4. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.4
What is DAST?
Crawls
Audits
Reports
A Dynamic Application Security Testing (DAST)
solution will crawl the web app and inventory a
series of links
DAST then audits each link found by the
automated crawler.
If the audit phase identifies a vulnerability, it is
reported to the Veracode Platform for
verification/scrubbing.
Crawling and auditing occur at the same time.

5. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.5
What does DAST find?
• Dynamic Analysis has the ability to capture exploitable
issues at run-time such as certification issues, server
configuration, deployment issues, etc. which Static
Analysis is not able to capture.
• These run-time issues can include vulnerabilities that
may only be found because the web interface interacts
with a web service and the dynamic link between these
two software layers results in a vulnerability when
analyzed as one entity.

6. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.6
Survey Demographics – DAST Use Cases
• How do you use your DAST
solution today?
Years in AppSec Count Percent
Occasional scans in a pre-
production environment
8 27.6%
Regular scans in a pre-
production environment
19 65.6%
To discover all websites owned
by my organization
4 13.8%
Occasional scans in a
production environment
8 27.6%
Regular scans in a production
environment
10 34.5%
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
Occasional
scans in a pre-
production
environment
Regular scans
in a pre-
production
environment
To discover all
websites
owned by my
organization
Occasional
scans in a
production
environment
Regular scans
in a production
environment

7. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.7
CA Veracode Web Application Scanning

8. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.8
CA Veracode Dynamic Analysis
Automation Easy to Onboard & Scale Quality of Results
• Scheduling Automation
Recurring Scanning
• IT Maintenance Window
Automation – Automated
Pause & Resume
• Scan Stop
• Time Savings – less time
managing
• All you need is a URL
• Batch Upload Configuration
• Batch Scanning
• Concurrent Scanning
• Security Program
Management
• Time Savings – less time
spent configuring
• Broad Coverage of Apps
incl. Single Page Apps
• Breadth of CWEs
• Low FP Rate
• Actionable Results
• Remediation Consultation
• Time Savings – faster
remediation

9. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.9
Automate Your Scans
• Scheduling Automation
Recurring Scanning
• IT Maintenance Window
Automation – Automated
Pause & Resume
• Scan Stop

10. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.10
Easy to Onboard & Scale
• All you need is a URL
• Batch Upload Configuration
• Batch Scanning
• Concurrent Scanning
• Security Program
Management

11. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.11
High Quality of Results
• Broad Coverage of Apps
incl. Single Page Apps
• Breadth of CWEs
• Low FP Rate
• Actionable Results
• Remediation Consultation

12. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.12
• Remediation Consultation – Provide guidance in understanding
the results
• Security Program Management – Setup and help manage an
AppSec program
• Operational Assistance
– Login Script Assistance
– False Positive Removal
Dynamic Analysis Services
SERVICES

13. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.13
Closing Thoughts
• DAST Scanning is an integral part of a well rounded
Application Security program and covers applications in
pre-prod and production (runtime) environments.
• DAST Scanning helps ensure the continued security of your
applications and finds exploitable vulnerabilities that static
testing alone cannot find.
• DAST solutions should provide users with automation, ease of
onboarding, scalability, speed, and coverage.

14. © 2017 VERACODE INC. A BUSINESS UNIT OF CA TECHNOLOGIES.14
LEARN MORE
KEEP THE CONVERSATION GOING!
Join the Veracode Community
https://community.veracode.com
Web Application (Dynamic) Scanning Group