Veracode Connector Guide
Summary: How to set up and use the Veracode connector in Ivanti Neurons.
Veracode Connector Overview
The Ivanti Neurons platform provides an API-based connector that integrates with Veracode (SAST and DAST) that enables customers to bring their Veracode findings into Ivanti Neurons to gain visibility into their overall risk due to vulnerabilities in their applications, thereby enabling a more simplified and efficient way to manage those vulnerabilities.
Ivanti Neurons users can configure the connector to pull scan data from Veracode on a periodic basis. Data from Veracode is ingested as both Applications and Application Findings. Ivanti Neurons pulls both DAST and SAST findings from Veracode.
Veracode Overview
Veracode is cloud-based solution used for scanning both SAST and DAST of the application module. Veracode also provides manual penetration testing of applications.
Veracode Connector Setup Prerequisites
-
Connector setup in Ivanti Neurons requires the user credentials for their cloud platform via this link.
-
Perform scans for the desired applications, both SAST and DAST.
-
The Veracode connector pulls these files based on the schedule defined during configuration and processes the data, categorizing them into Applications and Application Findings.
-
Refer to the Veracode DAST Data Export Guide for how to perform a sample DAST scan in Veracode. A similar approach can be used for SAST, as well.
-
Please note that when using the guide referenced above, skip the report download and upload to Ivanti Neurons steps. Those steps are required only for manually uploading Veracode files into Ivanti Neurons.
-
User Access and Permissions
To set up the connector, the user account must have API access to Veracode.
To obtain API Credentials from Veracode, Click on Organization in the top-right corner. Go to the API Credentials page. Click Generate API Credentials and copy this information for later use.
Creating the Connector in Ivanti Neurons
Navigate to the Automate > Integrations page.
Using the search bar in the upper-right corner of the Integrations page, type Veracode to find the connector.
Locate the Veracode card on the page and click Configuration.
Complete the following fields. These fields include:
-
Name: Connector name.
-
URL: Add the Veracode cloud instance URL: https://analysiscenter.veracode.com/.
-
ID and API Key: Veracode API credentials retrieved earlier in this guide’s User Access and Permissions section.
-
Network: Network name in Ivanti Neurons. Ingested data will be associated with this network.
-
Oldest Scan Data Pull: Maximum number of days the connector should go back to pull scan results from Veracode. It is a drop-down value that currently supports 30, 60, 90, and 180 days and one-year old data.
Once the fields are complete, click Test Credentials to verify the credentials are correct and can connect to the Veracode instance.
Configure the desired schedule for the connector to retrieve results from the Veracode instance and optionally turn on Enable auto URBA (Update Remediation by Assessment).
Once connector configuration is complete, click Save to create the connector.
After creating the connector, it starts pulling data from Veracode. After configuring the connector, a new entry for it appears at the top of the Integrations page. The connector’s card shows the next scheduled time and date it will fetch results. Check the connector’s status by clicking the History button.
To run the connector on demand, click the Sync icon.
View files pulled from Veracode on the Configuration (
) > Uploads page.
Data Visualization in Ivanti Neurons
Scan data pulled from Veracode via the connector is available on the Manage > Applications and Manage > Application Findings pages.
Based on the type of scan performed in Veracode, either SAST or DAST, Ivanti Neurons fingerprints them correspondingly, and their scanner names are VeracodeSAST/VeracodeDAST, respectively. Fingerprinting is done at the file level, and applications are created based out of it. Application findings are also individually marked as VeracodeSAST/VeracodeDAST scanner types.
Assets discovered from the scan data are added to the Manage > Applications page.
The Manage > Application Findings page displays all identified vulnerability details, as shown below.
Veracode Data Mapping in Ivanti Neurons
The Scanner Name associated with these scans is VeracodeDAST/VeracodeSAST, which can be used as a filter on the Applications page in Ivanti Neurons.
Applications Page
The following table provides a high-level mapping of Ivanti Neurons Applications fields to Veracode SAST/DAST fields.
|
Ivanti Neurons Field |
Veracode SAST Field |
Veracode DAST Field |
|---|---|---|
|
Name |
app_name |
app_name |
|
Address |
app_name |
app_name |
|
Discovered on |
first assessment date |
first assessment date |
|
Last Found on |
latest assessment date |
latest assessment date |
|
Scanner Name |
VeracodeSAST |
VeracodeDAST |
Application Findings Page
The following table provides a high-level mapping of Ivanti Neurons Application Findings fields to Veracode SAST/DAST fields.
|
Ivanti Neurons Field |
Veracode SAST Field |
Veracode DAST Field |
|---|---|---|
|
Title |
categoryname |
categoryname |
|
Location |
combination of values from module + sourcefilepath + sourcefile |
url |
|
Description |
description |
description |
|
Scanner Plugin |
combination of values from issueid + cweid |
combination of values from issueid + cweid |
|
Possible Solution |
recommendations |
recommendations |
|
Discovered on |
date_first_occurrence |
date_first_occurrence |
|
Last Found on |
latest assessment date |
latest assessment date |
|
Finding Type |
SAST |
DAST |