Editing a Test Policy
Test Policy view can be used to fine-tune your selected test policy.
About this task
You can fine-tune the current test policy by adding or deleting tests, and also export the changed configuration as a user-defined test policy for future use.
Procedure
-
In the Scan Configuration dialog box, click Test Policy (or in Scan Configuration
Wizard > Test Policy).
The upper area lists all AppScan® tests and indicates which are included in the current scan (check box selected).
- Include/exclude tests or variants by selecting/deselecting
the check box(es). (To view individual variants, click the + icon next to a Test Name.)Note: For each test the following information is listed: Name, Variant ID, CVE ID, CWE ID, Severity assigned to the issue (and whether the severity is CVSS or user-assigned), Type, Invasiveness, WASC threat classification, and XFID (X-Force ID). You can Sort tests by any of these fields, by clicking on the column header.Note: The Search facility lets you search for tests using free text search.
- In the Information field at the top right of the dialog, you can edit the description.
- New tests are continually being added to AppScan's database
of tests. By default, all new tests except Invasive tests are added
to all user-defined test policies. However, you can define which groups
in your policy will be updated: Click Update Settings, select/deselect
check boxes in the Test Policy Update Settings dialog box as
required, then click OK.
The dialog box contains three groups: Test Type, Test Invasiveness, and Test Severity. Only the tests that belong to a selected category in all three groups will be added to the current policy, when new tests are added to your AppScan database of tests. For example: If you select High Severity, but deselect Invasive, high severity, invasive tests will not be added to this policy when updates become available.
- You can optionally give the scan a name and save it for future use (click Export, and save in .policy format).
- Click OK to save the changes to the current Test Policy.