Test policy

Test policy is a collection of tests that will be sent to the application during testing. You can select one of the predefined test policies available when running scans from the ASoC user interface, but other policies can be applied with imported scans or scans run from the API.

The number of possible AppScan tests for a site can reach thousands. Rather than manually filter the large number of tests and test variants, you can set a "policy" for the type of tests you want to be run on your application.

The test policy is configured in the DAST scan setup.

Predefined test policies

Policy Name

Description

Complete

Includes all possible tests.

Default

Includes all tests except invasive and port listener tests.

OWASP Top 10 2021

Includes all tests for the latest top 10 vulnerabilities categories mapped by OWASP.

OWASP Top 10 API Security Risks 2023

Includes all tests for the latest top 10 API vulnerability categories mapped by OWASP.

Production Site

Excludes invasive tests that might damage the site, or tests that might result in Denial of Service to other users.

Tip: If you apply Test Optimization to the scan configuration, some of the vulnerabilities in your selected policy may not be tested for. Therefore, if you selected the Complete test policy, and want all its tests to be sent, you should set Test Optimization to No optimization.

See also: Test optimization FAQ