Limiting the scan to the specific types of tests you want can reduce scan
time.
About this task
The
number of tests which AppScanĀ® sends during a scan can reach the thousands. Sometimes it is preferable
to reduce scan time by limiting the scan to certain types only. This
is Test Policy.
AppScan comes with a Default Test Policy, and with some additional Test
Policy configurations that you can select. You can also use your own
User-Defined Test Policies.
The Test Policy step of the wizard
shows the name of the Test Policy that the current policy is based
on, and its description.
Procedure
- Check that the Test policy is appropriate for your needs.
(If you are in doubt, leave the Default Test Policy.)
- To load a different Test Policy, click on one of the Pre-Defined
Policies or Recent Policies in the Policy Files pane. For
details see Test Policy view.
- Send tests on login and logout pages: By default, AppScan will test your login
and logout pages along with the rest of the application. You should
leave this default configuration, unless:
- Your application has safeguards that lock out users who provide
illegal input on these pages, or
- Your application flow would be altered if these pages were
tested
If you are unsure how your application will respond to these
tests, leave this option selected.
- Do not send session identifiers when testing login pages: (This check box is active, and selected by default, only if the
previous check box is selected.) It is recommended to leave this check
box selected, since session identifiers could limit test success when
testing login pages. Clear it only if you are sure that valid session
tokens are necessary to test your login pages.
If you
are unsure how your application will respond, leave this option selected.
-
Click Next.