Test policy
Test policy is a collection of tests that will be sent to the application during testing. You can select one of the predefined test policies available when running scans from the ASoC user interface, but other policies can be applied with imported scans or scans run from the API.
The number of possible AppScan tests for a site can reach thousands. Rather than manually filter the large number of tests and test variants, you can set a "policy" for the type of tests you want to be run on your application.
The test policy is configured in the DAST scan setup.
Predefined test policies
Policy Name |
Description |
---|---|
Complete |
Includes all possible tests. |
Default |
Includes all tests except invasive and port listener tests. |
OWASP Top 10 2021 |
Includes all tests for the latest top 10 vulnerabilities categories mapped by OWASP. |
OWASP Top 10 API Security Risks 2023 |
Includes all tests for the latest top 10 API vulnerability categories mapped by OWASP. |
Production Site |
Excludes invasive tests that might damage the site, or tests that might result in Denial of Service to other users. |
See also: Test optimization FAQ