Security test policies

A security test policy is a predefined set of security tests. Users must be assigned both a server group and a test policy before they can perform security scans.

Administrators do not need to be granted explicit access to a test policy, nor do they need to be assigned to a server group. There are two types of test policies available:

• A Simple security test policy defines tests at a high level. You can create and edit simple test policies in AppScan® Enterprise Server and assign them to server groups.
• An Advanced security test policy defines tests at a more granular level. You can import advanced test policies from AppScan 7.7 (or higher) and assign them to server groups, but you cannot edit their properties:
  • Application only: Includes all application level tests except invasive and port listener tests.
  • Complete: Includes all AppScan tests.
  • Default: Includes all tests except invasive and port listener tests.
  • Developer Essentials: Includes a selection of application tests that have a high probability of success. This can be useful for evaluating a site when time is limited.
  • Infrastructure only: Includes all infrastructure level tests except invasive and port listener tests.
  • Invasive: Includes all invasive tests (tests which might affect the server's stability).
  • Production Site: Excludes invasive tests that might damage the site, or tests that might result in Denial of Service to other users.
  • The Vital Few: Includes a selection of tests that have a high probability of success. This can be useful for evaluating a site when time is limited.
  • Third Party-Only: Includes all third-party level tests except invasive and port listener tests.
  • Web Services: Includes all SOAP related tests except invasive and port listener tests.