Veracode Connector Guide

Summary: How to set up and use the Veracode connector in Ivanti Neurons.

Veracode Connector Overview

The Ivanti Neurons platform provides an API-based connector that integrates with Veracode (SAST and DAST) that enables customers to bring their Veracode findings into Ivanti Neurons to gain visibility into their overall risk due to vulnerabilities in their applications, thereby enabling a more simplified and efficient way to manage those vulnerabilities.

Ivanti Neurons users can configure the connector to pull scan data from Veracode on a periodic basis. Data from Veracode is ingested as both Applications and Application Findings. Ivanti Neurons pulls both DAST and SAST findings from Veracode.

Veracode Overview

Veracode is cloud-based solution used for scanning both SAST and DAST of the application module. Veracode also provides manual penetration testing of applications.

Veracode Connector Setup Prerequisites

  • Connector setup in Ivanti Neurons requires the user credentials for their cloud platform via this link.

  • Perform scans for the desired applications, both SAST and DAST.

  • The Veracode connector pulls these files based on the schedule defined during configuration and processes the data, categorizing them into Applications and Application Findings.

  • Refer to the Veracode DAST Data Export Guide for how to perform a sample DAST scan in Veracode. A similar approach can be used for SAST, as well.

    • Please note that when using the guide referenced above, skip the report download and upload to Ivanti Neurons steps. Those steps are required only for manually uploading Veracode files into Ivanti Neurons.

User Access and Permissions

To set up the connector, the user account must have API access to Veracode.

To obtain API Credentials from Veracode, Click on Organization in the top-right corner. Go to the API Credentials page. Click Generate API Credentials and copy this information for later use.

Veracode Connector - API Credentials Page

Creating the Connector in Ivanti Neurons

Navigate to the Automate > Integrations page.

Navigation - Automation - Integrations

Using the search bar in the upper-right corner of the Integrations page, type Veracode to find the connector.

Veracode Connector - Search for Connector

Locate the Veracode card on the page and click Configuration.

Veracode Connector - Configuration Button Location

Complete the following fields. These fields include:

  • Name: Connector name.

  • URL: Add the Veracode cloud instance URL: https://analysiscenter.veracode.com/.

  • ID and API Key: Veracode API credentials retrieved earlier in this guide’s User Access and Permissions section.

  • Network: Network name in Ivanti Neurons. Ingested data will be associated with this network.

  • Oldest Scan Data Pull: Maximum number of days the connector should go back to pull scan results from Veracode. It is a drop-down value that currently supports 30, 60, 90, and 180 days and one-year old data.

Veracode Connector - Connector Configuration Window

Once the fields are complete, click Test Credentials to verify the credentials are correct and can connect to the Veracode instance.

Veracode Connector - Test Credentials

Configure the desired schedule for the connector to retrieve results from the Veracode instance and optionally turn on Enable auto URBA (Update Remediation by Assessment).

Once connector configuration is complete, click Save to create the connector.

Veracode Connector - Save Connector Button Location

After creating the connector, it starts pulling data from Veracode. After configuring the connector, a new entry for it appears at the top of the Integrations page. The connector’s card shows the next scheduled time and date it will fetch results. Check the connector’s status by clicking the History button.

Veracode Connector - Connector History

To run the connector on demand, click the Sync icon.

Veracode Connector - Sync Icon

View files pulled from Veracode on the Configuration (Settings Menu - Gear - Small) > Uploads page.

Veracode Connector - Uploads Page

Data Visualization in Ivanti Neurons

Scan data pulled from Veracode via the connector is available on the Manage > Applications and Manage > Application Findings pages.

Veracode Connector - Applications and Application Findings Page Locations

Based on the type of scan performed in Veracode, either SAST or DAST, Ivanti Neurons fingerprints them correspondingly, and their scanner names are VeracodeSAST/VeracodeDAST, respectively. Fingerprinting is done at the file level, and applications are created based out of it. Application findings are also individually marked as VeracodeSAST/VeracodeDAST scanner types.

Assets discovered from the scan data are added to the Manage > Applications page.

Veracode Connector - Applications Page

The Manage > Application Findings page displays all identified vulnerability details, as shown below.

Veracode Connector - Application Findings Page

Veracode Data Mapping in Ivanti Neurons

The Scanner Name associated with these scans is VeracodeDAST/VeracodeSAST, which can be used as a filter on the Applications page in Ivanti Neurons.

Applications Page

The following table provides a high-level mapping of Ivanti Neurons Applications fields to Veracode SAST/DAST fields.

Ivanti Neurons Field

Veracode SAST Field

Veracode DAST Field

Name

app_name

app_name

Address

app_name

app_name

Discovered on

first assessment date

first assessment date

Last Found on

latest assessment date

latest assessment date

Scanner Name

VeracodeSAST

VeracodeDAST

Application Findings Page

The following table provides a high-level mapping of Ivanti Neurons Application Findings fields to Veracode SAST/DAST fields.

Ivanti Neurons Field

Veracode SAST Field

Veracode DAST Field

Title

categoryname

categoryname

Location

combination of values from

module + sourcefilepath + sourcefile

url

Description

description

description

Scanner Plugin

combination of values from

issueid + cweid

combination of values from

issueid + cweid

Possible Solution

recommendations

recommendations

Discovered on

date_first_occurrence

date_first_occurrence

Last Found on

latest assessment date

latest assessment date

Finding Type

SAST

DAST