Security test policies

A security test policy is a predefined set of security tests. Users must be assigned both a server group and a test policy before they can perform security scans.

• A Simple security test policy defines tests at a high level. You can create and edit simple test policies in AppScan® Enterprise Server and assign them to server groups.
• An Advanced security test policy defines tests at a more granular level. You can import advanced test policies from AppScan® 7.7 (or higher) and assign them to server groups, but you cannot edit their properties:
  • Application only: Includes all application level tests except invasive tests.
  • Complete: Includes all tests.
  • Default: Includes all tests except invasive tests (tests affecting server stability).
  • Developer Essentials (Deprecated): Includes a selection of application tests that have a high probability of success. This can be useful for evaluating a site when time is limited.
  • Infrastructure only: Includes all infrastructure level tests except invasive tests.
  • Invasive: Includes all invasive tests (tests that might affect the server's stability).
  • OWASP Top 10 - 2021: Includes all tests for the latest top 10 vulnerabilities categories mapped by OWASP.
  • OWASP Top 10 API Security Risks - 2023: Includes all tests for the latest top 10 API vulnerability categories mapped by OWASP.
  • Production Site: Excludes invasive tests that might damage the site, or tests that might result in Denial of Service to other users.
  • The Vital Few (Deprecated): Includes a selection of tests that have a high probability of success. This can be useful for evaluating a site when time is limited.
  • Third Party-Only: Includes all third-party level tests except invasive tests.
  • Web Services (Deprecated): Includes all SOAP related tests except invasive tests.

Deprecated test policy alternatives