Compliance policies

You can apply the predefined compliance policies, as well as your own custom compliance policies, to show only data for the issues that are relevant for you.

ASoC includes a selection of predefined compliance policies. You also can create your own custom compliance policies using our predefined functions. Compliance policy creation and management is available through the user interface and through the REST API. You can associate up to five policies with any application. In addition, you can apply a baseline policy that takes account only of issues found after a specified date and time.
Note: When you associate a compliance policy with an application, it is enabled by default. You can disable the compliance policy while maintaining the association, and re-enable it later.
Note: When a compliance policy is deleted, all associations are removed.
Note: If no compliance policies are enabled, an application is considered compliant only if there are no active issues with severity Critical, High, Medium, or Low. You can associate and enable compliance policies to override this default compliance.

Predefined compliance policies

All predefined compliance policies are available through the user interface as well as through the API. Policies available are:
Industry Standard Regulatory Compliance
CWE Top 25 Most Dangerous Software Weaknesses 2021 CANADA Freedom of Information and Protection of Privacy Act (FIPPA)
CWE Top 25 Most Dangerous Software Weaknesses 2023 EU Digital Operational Resilience Act (DORA)
International Standard - ISO 27001 EU General Data Protection Regulation (GDPR)
International Standard - ISO 27002 Network and Information Security Directive (NIS2)
NIST Special Publication 800-53 Payment Application Data Security Standard
OWASP API Security Top 10 2019 South Africa Protection of Personal Information Act (PoPIA)
OWASP API Security Top Ten 2023 The Payment Card Industry Data Security Standard (PCI DSS) - V4
OWASP Application Security Verification Standard V4.0.3 US California Consumer Privacy Act (CCPA) - AB-375
OWASP Cloud-Native Application Security Top 10 US DISA's Application Security and Development STIG. V6R1
OWASP Top 10 2017 US Electronics Funds and Transfer Act (EFTA)
OWASP Top 10 2021 US Federal Information Security Modernization Act (FISMA)
OWASP Top 10 Mobile 2016 US Federal Risk and Authorization Management Program (FedRAMP)
WASC Threat Classification v2.0 US Health Insurance Portability and Accountability Act (HIPAA)
US Sarbanes-Oxley Act (SOX)

Baseline compliance policy

Baseline compliance policy calculates compliance based on issues found in the application for the first time after a set date. Unlike the predefined compliance policies, a baseline compliance policy is specific to a single application.

Baseline compliance policy does not count as one of the five policies that can be associated with an application. You can have five associated policies and also a baseline compliance policy.

To set a baseline policy for an application:
  1. On the general Applications page, click an application name to open the specific application page.
  2. Click Manage > Manage compliance policies.
  3. Click Add a baseline compliance policy (or, if one already exists, Update baseline compliance policy).
  4. Adjust date and time as needed, then click Set baseline.
Note: If you promote a personal scan in an application with a baseline compliance policy dated after the personal scan ran, issues found in the scan will not change the status of the application. This is because the issues are counted from when they were discovered, not when the scan was promoted.

Custom compliance policies

You can create your own custom compliance policies. For details, see Creating custom compliance policies.