Test Policy view

Test Policy view of the Configuration dialog box shows details of the current test policy.

The number of possible AppScan tests for a site can reach the thousands. Rather than manually filter the large number of tests and test variants, you can set a general policy for the type of test you do, or do not, want to be run on your application.

Use Test Policy view to view, edit and manage test policies, that define which tests are included in scans, and to define the policy for the current scan.

Tests are grouped and listed in the upper of the two panes. The Advisory and Fix Recommendation for the selected test appear in the lower pane.

In Test Policy view you can:

  • View details of the current policy
  • Edit the current policy to create a User-Defined Test Policy of your own
  • Import a predefined policy, or a previously saved user-defined policy
Tip: If you apply Test Optimization to the scan configuration, some of the vulnerabilities in your selected policy may not be tested for. Therefore, if you selected the "Complete" Test Policy, and want all its tests to be sent, you should set Test Optimization to No optimization.

Field/Pane/Option

Details

Test Policy

Shows the name of the current Test Policy. Tests are grouped and listed in the upper of the two panes. The Advisory and Fix Recommendation for the selected test appear in the lower pane.

Grouping method

Use the drop-down list to select a grouping method for the tests in the upper pane.

Filter

Use the drop-down list to filter the tests in the upper pane. You can choose: All, DAST Only (Dynamic analysis), or SAST Only (Static analysis).

Search

Typing text into the Search field will display only tests that contain the search string. The Magnifying glass drop-down list lets you define whether to look for the string in all test fields, or only specific ones (such as Test Name or CVE ID.

Export

Click to save the current Test Policy so you can load it on another occasion.

Import

Click to load a predefined or user-defined Test Policy (see Importing a Test Policy).

Policy description

The upper-right pane shows the description of the current policy. For user-defined policies this field can be edited.

Test pane

The upper main pane lists all AppScan® tests that meet the filter/search criteria. For each test the following information is listed: Name, Variant ID, CVE ID, CWE ID, Severity assigned to the issue (and whether the severity is CVSS or user-assigned), XFID (X-Force ID), Type, Invasiveness, and WASC threat classification. You can Sort tests by some of these fields, by clicking on the column header.

Tests whose check box is selected are included in the current policy. You can edit the policy by selecting/deselecting tests (see Editing a Test Policy.

Update Settings link

This link opens a dialog box that lets you define which types of test can be added to this policy when new tests are added to the database.

For details see Test Policy Update Settings

Advisory and Fix Recommendation tabs

The lower main pane shows the Advisory and Fix Recommendation for the selected test.

You can Edit any Advisory to your own specifications, or Reset to Default an Advisory that has been edited (see Editing advisories and fix recommendations.

Policy files

Load an existing Test Policy by clicking one of the Recent Policies, or Predefined Policies, or by clicking Browse... and browsing to the required policy.