Veracode Connector Guide

How to set up and use the Veracode connector in RiskSense.

Veracode Connector Overview

The RiskSense platform provides an API-based connector that integrates with Veracode (SAST and DAST) that enables customers to bring their Veracode findings into RiskSense to gain visibility into their overall risk due to vulnerabilities in their applications, thereby enabling a more simplified and efficient way to manage those vulnerabilities.

RiskSense users can configure the connector to pull scan data from Veracode on a periodic basis. Data from Veracode is ingested as both Applications and Application Findings. RiskSense pulls both DAST and SAST findings from Veracode.

Veracode Overview

Veracode is cloud-based solution used for scanning both SAST and DAST of the application module. Veracode also provides manual penetration testing of applications.

Veracode Connector Setup Prerequisites

  • Connector setup in RiskSense requires the user credentials for their cloud platform via https://analysiscenter.veracode.com/
  • Perform scans for the desired applications, both SAST and DAST.
  • The Veracode connector pulls these files based on the schedule defined during configuration and processes the data, categorizing them into Applications and Application Findings.
  • Refer to the Veracode DAST Data Export Guide for how to perform a sample DAST scan in Veracode. A similar approach can be used for SAST, as well.
    • Please note that when using the guide referenced above, skip the report download and upload to RiskSense steps. Those steps are required only for manually uploading Veracode files into RiskSense.

User Access and Permissions

To set up the connector, the user account must have API access to Veracode.

To obtain API Credentials from Veracode, Click on Organization in the top-right corner. Go to the API Credentials page. Click Generate API Credentials and copy this information for later use.

Veracode Connector - API Credentials Page

Creating the Connector in RiskSense

Navigate to the Automate > Integrations page.

Navigation - Automate - Integrations

Using the search bar in the upper-right corner of the Integrations page, type Veracode to find the connector.

Veracode Connector - Search for Connector

Locate the Veracode card on the page and click Configuration.

Veracode Connector - Configuration Button Location

Complete the following fields. These fields include:

  • Name: Connector name.
  • URL: Add the Veracode cloud instance URL: https://analysiscenter.veracode.com/.
  • ID and API Key: Veracode API credentials retrieved earlier in this guide’s User Access and Permissions section.
  • Network: Network name in RiskSense. Ingested data will be associated with this network.
  • Oldest Scan Data Pull: Maximum number of days the connector should go back to pull scan results from Veracode. It is a drop-down value that currently supports 30, 60, 90, and 180 days and one-year old data.

Veracode Connector - Connector Configuration Window

Once the fields are complete, click Test Credentials to verify the credentials are correct and can connect to the Veracode instance.

Veracode Connector - Test Credentials

Configure the desired schedule for the connector to retrieve results from the Veracode instance and optionally turn on Enable auto URBA (Update Remediation by Assessment).

Once connector configuration is complete, click Save to create the connector.

Veracode Connector - Save Connector Button Location

After creating the connector, it starts pulling data from Veracode. After configuring the connector, a new entry for it appears at the top of the Integrations page. The connector’s card shows the next scheduled time and date it will fetch results. Check the connector’s status by clicking the History button.

Veracode Connector - Connector History

To run the connector on demand, click the Sync icon.

Veracode Connector - Sync Icon

View files pulled from Veracode on the Configuration (Settings Menu - Gear - Small) > Uploads page.

Veracode Connector - Uploads Page

Data Visualization in RiskSense

Scan data pulled from Veracode via the connector is available on the Manage > Applications and Manage > Application Findings pages.

Veracode Connector - Applications and Application Findings Page Locations

Based on the type of scan performed in Veracode, either SAST or DAST, RiskSense fingerprints them correspondingly, and their scanner names are VeracodeSAST/VeracodeDAST, respectively. Fingerprinting is done at the file level, and applications are created based out of it. Application findings are also individually marked as VeracodeSAST/VeracodeDAST scanner types.

Assets discovered from the scan data are added to the Manage > Applications page.

Veracode Connector - Applications Page

The Manage > Application Findings page displays all identified vulnerability details, as shown below.

Veracode Connector - Application Findings Page

Veracode Data Mapping in RiskSense

The Scanner Name associated with these scans is VeracodeDAST/VeracodeSAST, which can be used as a filter on the Applications page in RiskSense.

Applications Page

The following table provides a high-level mapping of RiskSense Applications fields to Veracode SAST/DAST fields.

RiskSense Field Veracode SAST Field Veracode DAST Field
Name app_name app_name
Address app_name app_name
Discovered on first assessment date first assessment date
Last Found on latest assessment date latest assessment date
Scanner Name VeracodeSAST VeracodeDAST

Application Findings Page

The following table provides a high-level mapping of RiskSense Application Findings fields to Veracode SAST/DAST fields.

RiskSense Field Veracode SAST Field Veracode DAST Field
Title categoryname categoryname
Location

combination of values from

module + sourcefilepath + sourcefile
url
Description description description
Scanner Plugin

combination of values from

issueid + cweid

combination of values from

issueid + cweid
Possible Solution recommendations recommendations
Discovered on date_first_occurrence date_first_occurrence
Last Found on latest assessment date latest assessment date
Finding Type SAST DAST