Home
Administering
Learn how to administer the product.
Preparing for Security Testing
Learn how to prepare for security testing in AppScan Enterprise.
Creating and Importing Security Test Policies
Learn how to create and import security test policies in AppScan Enterprise.
Creating a simple security test policy
The Simple security test policy is the default test policy. It defines tests at a high level. You can create and edit simple test policies and assign them to server groups. Then you can assign server group/test policy combinations to users to use during security scanning.

Administering
Learn how to administer the product.
- Managing users, groups, and access permissions
  Learn how to manage user groups and access permission.
- SAML Single Sign-On in AppScan Enterprise
- Configuring and downloading log files for Enterprise Console and AppScan Server
  Administrators can configure the settings for log files for the Enterprise Console and AppScan Server and download them when they need to troubleshoot issues. This function eliminates the need to search the file system of the computer where the Enterprise Console or AppScan Server is installed.
- Resetting Service Account Password in AppScan Enterprise through the ASE AdminUtil tool
  The AdminUtil tool helps users to avoid rerun the configuration wizard on the AppScan Enterprise Server and the DAST Scanner(s) to reset the password. You can run the utility in two modes - Interactive mode and Silent mode. For more information about resetting service account password through interactive mode, see Resetting Service Account Password in AppScan Enterprise through the ASE AdminUtil tool in silent mode
- Resetting Service Account Password in AppScan Enterprise through the ASE AdminUtil tool in silent mode
  The AppScan Enterprise (ASE) AdminUtil tool helps users to avoid rerun the configuration wizard on the AppScan Enterprise Server, IAST Communication service, DAST scanner(s), Database service, and Alert services to reset the password of service account. You can achieve this by running the utility in two modes - Interactive mode and Silent mode. For more information about resetting service account password through interactive mode, see Resetting Service Account Password in AppScan Enterprise through the ASE AdminUtil tool
- Monitoring AppScan Enterprise usage
  Create an Activity Log report to determine who is using AppScan Enterprise and what they are doing with it. The report lists the users that made changes and when the changes were made. Because the log is always recording activity, all you must do is create the report. Only Administrators can create the Activity Log report; however, any user can be given access to it as part of a report pack's properties. If you do not want other users to see the Activity Log report, change `All Other Users' to No Access on the Users and Groups page for the report pack.
- Activity Log
  Activity Log helps determine who is using AppScan Enterprise and what they are doing with it. It lists the users that made changes and when the changes were made. This is useful for security auditing to detect possible unauthorized or unusual activities performed by users. Only Administrators can view the Activity log. By default, the activity log data is retained for one year.
- Managing a server
  Product Administrators are responsible for managing each server to its optimal performance.
- Managing the scan queue
  See the status of scan jobs currently running or waiting to run so that you can prioritize the order in which your key scan jobs run. For example, you might have scan jobs that are part of a time-sensitive deliverable, like a holiday shopping special. You can move them to the top of the queue to make sure that they are prioritized first in the schedule.
- Updating security rules
  The security rules are updated as a part of your AppScan® Enterprise releases. You can verify the version and release date of the security rules by looking in the About link in the AppScan Enterprise main menu.
- Importing user-defined tests from AppScan Standard
  AppScan® Standard provides a database of thousands of tests. However, if your web application has issues that are specific to it, or if you want to write your own advisories for fixing issues, you can create your own tests. These tests are saved and included in your AppScan database of tests. You can also export them as a *.udt file to import into AppScan Enterprise.
- Maintaining your SQL Server database
  SQL Server database maintenance includes upgrading SQL servers, SQL database backup, log file configuration, and database usage.
- Preparing for Security Testing
  Learn how to prepare for security testing in AppScan Enterprise.
  - Creating a server group
    A server group is a group of items that can be tested as a unit; the same security tests will be applied to all the servers in the group. A server group can be any combination of domains and IP addresses.
  - Enabling and disabling IP addresses to scan
    If you want to enable or disable your address ranges (which will affect the entire installation), you can do so. You might disable a range of addresses if you had servers that were in the process of being backed up. In this case, you can prevent anyone from running security tests on the servers by disabling the IP address range of the servers. Another method of restricting IP address testing is at the user level through the application of server groups.
  - Creating and Importing Security Test Policies
    Learn how to create and import security test policies in AppScan Enterprise.
    - Security test policies
      A security test policy is a predefined set of security tests. Users must be assigned both a server group and a test policy before they can perform security scans.
    - Creating a simple security test policy
      The Simple security test policy is the default test policy. It defines tests at a high level. You can create and edit simple test policies and assign them to server groups. Then you can assign server group/test policy combinations to users to use during security scanning.
    - Importing an advanced security test policy from AppScan® Standard
      Use Advanced security test policies to test down to the variant level of a vulnerability, giving you complete control over the test sent during a scan. You can import advanced security test policies from AppScan® Standard Edition 7.5 (or higher) and assign them to server groups.
    - Re-importing advanced security test policies
      For those times when you must re-import a security test policy file from AppScan® Standard, you can re-import it without affecting your workflow.
    - Defining the servers to test and the security tests to perform
      Job Administrators are assigned security test policies and server groups by a Product Administrator. Security test policies define what tests they can perform; server groups define which applications/servers they can run those tests against.
    - Assigning security test policies and server groups to users
      After you have created your server groups (what you want to test) and your security test policies (what tests you want to perform), you must assign them to users. Users can only run security tests on the server groups that you assign to them. If they do not have any test policies assigned to them, they cannot perform security scans.
- Creating scan templates
  Learn how to create scan templates in AppScan Enterprise.

Creating a simple security test policy

The Simple security test policy is the default test policy. It defines tests at a high level. You can create and edit simple test policies and assign them to server groups. Then you can assign server group/test policy combinations to users to use during security scanning.

Procedure

Go to the Administration view.
On the Security Test Policies page, click Create.
On the Create Simple Security Test Policy page, give the test policy a name and description and click Create.
On the Edit Simple Security Test Policy page, configure the tests that will be included in the test policy and click Save.

What to do next

Assign the test policy to one or more users.