Configuration
You configure a scan by choosing settings that best describe your application, and the kind of testing you want.
- Scan Configuration Wizards
  You can quickly configure basic scans using the wizards.
- Scan Configuration Dialog Box
  - URL and Servers view
    Configure the Starting URL for the svcan, and any additional servers and domains to be included.
  - Login Management view
    Show AppScan® how to log in to your application.
  - One-Time Password (OTP) view
    If required by your application, configure AppScan® to use OTP when logging in.
  - Environment Definition view
    Environment definition is not essential, but enables AppScan® to safely refrain from sending non-relevant tests during the scan, resulting in a faster and more accurate scan.
  - Exclude Paths and Files view
    You can configure AppScan to ignore certain paths in the application, or specific types of file.
  - Explore Options view
    Define scan limits, link extraction methods and the general Explore method.
  - Parameters and Cookies view
    Identify session IDs and list parameters to exclude from the scan.
  - Automatic Form Fill view
    Provide AppScan® with valid parameter values for filling forms in your application during the scan.
  - Error Pages view
    Add strings, regular expressions and URLs to identify your application's custom error pages.
  - Multi-Step Operations view
    Record and manage multi-step operations that are required to reach specifica parts of the application that could otherwise be missed.
  - Content-Based Results view
    Define a logical structure for the application tree, if AppScan® will not be able to do this based on URL structure.
  - Communication and Proxy view
    Configure communication timeout and proxy server settings.
  - HTTP Authentication view
    Add server-level authentication and client-side certificates, if required by the application.
  - 3rd Party Authentication view
    3rd Party Authentication view of the Configuration dialog box lets you configure AWS settings.
  - Test Policy view
    Define and edit the collection of tests that will be sent to the application during testing; the test policy.
    - Editing a Test Policy
      Test Policy view can be used to fine-tune your selected test policy.
    - Importing a Test Policy
    - Predefined Test Policies
    - Test Policy Update Settings
      This dialog box opens from Scan Configuration > Test Policy view.
  - Test Optimization view
    Apply optimization for faster scans at times in the product lifecycle when speed is more important to you than scan depth.
  - Test Options view
    Additional test options.
  - Privilege Escalation view
    Refer AppScan to scans run using different user privileges, to discover privileged resources that may be accessible to users with insufficient privileges.
  - Advanced Configuration view
    This view gives you access to many advanced registry settings and it should only be used by experienced AppScan users, or when instructed to do so by the support team to troubleshoot a problem.
- Scan file structure
  Explains the basic structure of an AppScan Standard SCAN file.
- Scan templates
  A scan template is simply a scan configuration that has been saved so that you can use it again.
- Changing the configuration during a scan

Editing a Test Policy

Test Policy view can be used to fine-tune your selected test policy.

About this task

You can fine-tune the current test policy by adding or deleting tests, and also export the changed configuration as a user-defined test policy for future use.

Procedure

In the Scan Configuration dialog box, click Test Policy (or in Scan Configuration Wizard > Test Policy).

The upper area lists all AppScan® tests and indicates which are included in the current scan (check box selected).
Include/exclude tests or variants by selecting/deselecting the check box(es). (To view individual variants, click the + icon next to a Test Name.)
Note: For each test the following information is listed: Name, Variant ID, CVE ID, CWE ID, Severity assigned to the issue (and whether the severity is CVSS or user-assigned), Type, Invasiveness, WASC threat classification, and XFID (X-Force ID). You can Sort tests by any of these fields, by clicking on the column header.
Note: The Search facility lets you search for tests using free text search.
In the Information field at the top right of the dialog, you can edit the description.
New tests are continually being added to AppScan's database of tests. By default, all new tests except Invasive tests are added to all user-defined test policies. However, you can define which groups in your policy will be updated: Click Update Settings, select/deselect check boxes in the Test Policy Update Settings dialog box as required, then click OK.

The dialog box contains three groups: Test Type, Test Invasiveness, and Test Severity. Only the tests that belong to a selected category in all three groups will be added to the current policy, when new tests are added to your AppScan® database of tests. For example: If you select High Severity, but deselect Invasive, high severity, invasive tests will not be added to this policy when updates become available.
You can optionally give the scan a name and save it for future use (click Export, and save in .policy format).
Click OK to save the changes to the current Test Policy.