Veracode Connector

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Product Offering.

Veracode Web Application Scanning combines a DAST assessment tool with static analysis and other technologies to more effectively find, secure, and monitor websites and applications. The tool helps find hidden security issues often missed by other products, looking in directories, debug code, leftover source code, and resource files for information that hackers could exploit to gain access to the application. From hidden usernames and passwords to ODBC connectors and SQL strings, Veracode identifies potential vulnerabilities to enable faster fixes.

Tip: For more information on how third-party integrations work, see Connectors.

Connector Details

Details	Description
Supported products	Veracode - Dynamic Analysis Note: DAST Essentials is not supported
Category	DAST
Ingested data	Assets and Findings
Ingested Asset Classes	Web Application
Integration type	UNI directional (data is transferred from the Connector to Tenable Exposure Management in one direction)
Supported version and type	SaaS (latest)

Prerequisites and User Permissions

Before you begin configuring the connector, make sure you have the following:

A Veracode API user account with the following permissions:
- Reviewer with Results API role
For more information, see Create an API user in the Veracode Platform | Veracode Docs
Generate Credentials (API ID and Secret keys)

Generate Credentials

In Veracode:

Click on the gear icon and select Admin.
Navigate to the Users tab and click Add New User.
Type your user details:
- Provide a descriptive first and last name.
- Check the Non-Human User box.
IMPORTANT! You cannot convert an existing user account to an API service account. A new user account must be created with the Non-Human User checkbox selected.
In User Settings, enter a valid email address for the API service account. Veracode will use this address to send notifications regarding error messages, password expiration, and other automated messages.
(Optional) Specify the IP range restrictions for the user.
In the User Roles section, select the APIs the API service account should access.
For the "Restrict Loigin IP" option, select No.
Click Save to create and enable the user account.

The user will receive an activation email.

Note: Before accessing the APIs, users must activate their account, generate API credentials, and enable HMAC authentication.

Add a Connector

To add a new connector:

In the left navigation menu, click Connectors.

The Connectors page appears.
In the upper-right corner, click Add new connector.

The Connector Library appears.
In the search box, type the name of the connector.
On the tile for the connector, click Connect.

The connector configuration options appear.

Configure the Connector

To configure the connector:

(Optional) In the Connector's Name text box, type a descriptive name for the connector.
From the Region drop-down, select the region in which the connector resides, for example, US.
In the API Key and API Secret text boxes, paste the client credentials you generated in Veracode.
In the Data pulling configuration section, you can configure dynamic settings specific to the connector.
- From the Veracode findings ingestion drop-down, select the type of findings you want to fetch from Veracode.
- In the Asset Retention text box, type the number of days after which you want assets to be removed from Tenable Exposure Management. If an asset has not been detected or updated within the specified number of days, it is automatically removed from the application, ensuring your asset inventory is current and relevant.
  
  Tip: For more information, see Asset Retention.
In the Test connectivity section, click the Test Connectivity button to verify that Tenable Exposure Management can connect to your connector instance.
- A successful connectivity test confirms that the platform can connect to the connector instance. It does not, however, guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.
- If the connectivity test fails, an error message with details about the issue appears. Click Show tests for more information about the exact error.
In the Connector scheduling section, configure the time and day(s) on which you want connector syncs to occur.

Tip: For more information, see Connector Scheduling
Click Create. Tenable Exposure Management begins syncing the connector. The sync can take some time to complete.
To confirm the sync is complete, do the following:
- Navigate to the Connectors page and monitor the connector's status. Sync is complete once the connector status is Connected.
- View the sync logs for the connector to monitor the logs for a successful connection.

Veracode in Tenable Exposure Management

Locate Connector Assets in Tenable Exposure Management

As the connector discovers assets, Tenable Exposure Management ingests those devices for reporting.

To view assets by connector:

In Tenable Exposure Management, navigate to the Assets page.
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view assets.

The asset list updates to show only assets from the selected connector.
Click on any asset to view Asset Details.

Locate Connector Weaknesses in Tenable Exposure Management

As the connector discovers weaknesses, Tenable Exposure Management ingests those weaknesses for reporting.

To view weaknesses by connector:

In Tenable Exposure Management, navigate to the Weaknesses page.
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view weaknesses.

The weaknesses list updates to show only weaknesses from the selected connector.
Click on any weakness to view Weakness Details.

Locate Connector Findings in Tenable Exposure Management

As the connector discovers individual findings, Tenable Exposure Management ingests those findings for reporting.

To view findings by connector:

In Tenable Exposure Management, navigate to the Findings page.
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view findings

The findings list updates to show only assets from the selected connector.
Click on any asset to view Finding Details.

Data Mapping

Exposure Management integrates with the connector via API to retrieve relevant weakness and asset data, which is then mapped into the Exposure Management system. The following tables outline how fields and their values are mapped from the connector to Exposure Management.

Note: Veracode applications are mapped into Exposure Management Web Applications, alongside with their detected DAST findings.

Web Application Mapping

Tenable Exposure Management Value	Veracode Value
Unique Identifier	guid
Asset - Name	profile.name
Asset - First Observation Date	created
Asset - Last Observed At	last_completed_scan_date
Asset - Webapp Homepage Screenshot Url	finding_details.url
Asset - External Tags	profile.tags Team Name: profile.teams[0].team_name Business Unit Name: profile.business_unit.name Business Criticality: profile.business_criticality custom_fields
Asset Custom Attributes	Business Criticality: profile.business_criticality Policy Compliance Status: profile.policies Blockcode: profile.custom_fields IT Director: profile.custom_fields IT SLT Member: profile.custom_fields App Profile Url: app_profile_url Results Url Id Guid

Finding Mapping

Tenable Exposure Management UI Field	Veracode Field
Unique Identifier	finding_details.finding_category.name + issue_id + application_guid
Finding Name	finding_details.finding_category.name
CVEs	cveId
CWEs	connection_cwes
Severity Driver	finding_details.severity * 2
Description	data.description
Finding Custom Attributes	finding_details.attack_vector Flaw ID: finding_details.finding_category.id Vulnerable Parameter: finding_details.vulnerable_parameter Scan Type: DAST Issue Id: issue_id Severity: finding_details.severity Module: finding_details.module Relative Location: finding_details.relative_location Procedure: finding_details.procedure Attack Vector: finding_details.attack_vector File Line Number: finding_details.file_line_number Path: finding_details.path CWE: finding_details.cwe.id
First Seen	finding_status.first_found_date
Last seen (Observed)	finding_status.last_seen_date

Finding Status Mapping

Tenable Exposure Management Status	Veracode Status
Active	New or Updated
Fixed	Fixed

Note:For Veracode, Exposure Management uses the finding_status.status field to determine status.

Finding Severity Mapping

Tenable Exposure Management Severity	Veracode Score
Critical	5
High	4
Medium	2, 3
Low	1

Note:For Veracode, Tenable uses the findings_details.severity * 2 field to determine severity.

Status Update Mechanisms

Every day, Tenable Exposure Management syncs with the vendor's platform to receive updates on existing findings and assets and to retrieve new ones (if any were added).

The table below describes how the status update mechanism works in the connector for findings and assets ingested into Tenable Exposure Management.

Update Type in Exposure Management	Mechanism (When?)
Archiving Assets	Asset that appears in Tenable Exposure Management and isn't returned on the next connector's sync. Asset not seen for X days according to "Last Seen". See Asset Retention
Change a Finding status from "Active" to "Fixed"	Finding no longer appears in the scan findings Finding status changes to close on the vendor's side.

Note: Updates on the vendor side are reflected in Tenable Exposure Management only when the next scheduled connector sync time is complete (once a day).

Uniqueness Criteria

Tenable Exposure Management uses defined uniqueness criteria to determine whether an ingested asset or finding should be recognized as a distinct record. These criteria help define how assets and findings are identified and counted from each connector.

Tip: To learn more about data deduplication and uniqueness criteria, See Third-Party Data Deduplication in Tenable Exposure Management

The uniqueness criteria for this connector are as follows:

Data	Uniqueness Criteria
Asset	guid
Detection	finding_details.finding_category.name
Finding	finding_details.finding_category.name + issue_id + application_guid

API Endpoints in Use

Support and Expected Behavior

In Veracode, each application is treated as a single asset of type website. Veracode's API supports fetching both SAST and DAST vulnerabilities; however, there is a distinction in how these vulnerabilities are managed.

DAST Vulnerabilities: While Veracode allows scanning additional URLs that are not necessarily linked to applications, the API imposes a limitation—it only supports fetching DAST information when it is explicitly linked to an application.

To link dynamic scans to applications, see Link Dynamic Analysis results to an application profile | Veracode Docs.

Due to the API restriction, Exposure Management only retrieves findings associated with specific applications.

API Endpoints in Use

API version: v1 , v2

API	Use in Tenable Exposure Management
{{{ region }}}/appsec/v1/applications/	Assets
{{{ region }}}/appsec/v2/applications/{{ application_guid }}/findings	Findings, Detections
{{{ region }}}/appsec/v1/categories/	Enrichment for detections

Data Validation

This section shows how to validate and compare data between Tenable Exposure Management and the Veracode platform.

Asset Data Validation

Objective: Ensure the number of endpoints (devices) in Veracode aligns with the number of devices displayed in Tenable Exposure Management. Each application in Veracode is considered a Web Application asset in Exposure Management.

In Veracode:

Navigate to My Portfolio > Applications.
Note the number of applications presented.

In Tenable Exposure Management:

Locate your connector assets.
Compare the total number of assets between Veracode and Tenable Exposure Management.

Expected outcome: The total numbers returned in Veracode and Exposure Management should match.

If an asset is not visible in Exposure Management, check the following conditions:

The asset was archived based on its last observed date (last_completed_scan_date field).
The asset was archived because it did not return in the connector's last sync.

Tip: To learn more on how assets are archived and findings change status, see Status Update Mechanisms.

Finding Data Validation

Objective: Ensure the number of findings in Veracode aligns with the number of findings in Tenable Exposure Management.

In Veracode:

Navigate to My Portfolio > Applications.
Click on each application from the list, then select "View Report" on the left navigation menu.
Navigate to the "Executive Summary" tab.
Summarize the findings listed in the "Dynamic" column only for the Very High, High, Medium, Low, Very Low, and Information severities.
Example:

In Tenable Exposure Management:

Locate your connector findings.
Compare the total number of findings between Veracode and Tenable Exposure Management.

Expected outcome: The total numbers returned in Veracode and Exposure Management should match

If a finding is missing from Exposure Management or no longer active, check the following conditions:

The finding is marked as Fixed and appears under the Fixed state on the Findings screen
The finding no longer appears because its related asset was archived.

Tip: To learn more on how assets are archived and findings change status, see Status Update Mechanisms.