Security test policies
A security test policy is a predefined set of security tests. Users must be assigned both a server group and a test policy before they can perform security scans.
Administrators do not need to be granted explicit access to a test policy, nor do they need to be assigned to a server group. There are two types of test policies available:
- A Simple security test policy defines tests at a high level. You can create and edit simple test policies in AppScan® Enterprise Server and assign them to server groups.
- An Advanced security
test policy defines tests
at a more granular level. You can import advanced test policies from AppScan® 7.7 (or higher) and
assign them to server groups, but you cannot edit their properties:
- Application only: Includes all application level tests except invasive and port listener tests.
- Complete: Includes all AppScan® tests.
- Default: Includes all tests except invasive and port listener tests.
- Developer Essentials: Includes a selection of application tests that have a high probability of success. This can be useful for evaluating a site when time is limited.
- Infrastructure only: Includes all infrastructure level tests except invasive and port listener tests.
- Invasive: Includes all invasive tests (tests which might affect the server's stability).
- OWASP Top 10 - 2021: Includes all tests except invasive and port listener tests.
- OWASP Top 10 API Security Risks - 2023: Includes all tests except invasive and port listener tests.
- Production Site: Excludes invasive tests that might damage the site, or tests that might result in Denial of Service to other users.
- The Vital Few: Includes a selection of tests that have a high probability of success. This can be useful for evaluating a site when time is limited.
- Third Party-Only: Includes all third-party level tests except invasive and port listener tests.
- Web Services (Deprecated): Includes all SOAP related tests except invasive and port listener tests.
From AppScan Standard FAQ
What test policies can replace the Web Services, The Vital Few, and the Developers Essentials
test policies when they are removed?
- In version 10.0.5, it is announced about removing three test policies in a future release. The
following methods can be used to obtain similar results. If you use these policies, you may wish to
start using the suggested alternatives.
Current Policy Suggested Alternatives Web Services Default The default test policy now covers web services, so a separate policy is not needed.
The Vital Few Default Use the default policy together with the fastest Test Optimization setting.
Developers Essentials Default Use the Application Only policy together with one of the faster Test Optimization settings.