Test Policy
Limiting the scan to the specific types of tests you want can reduce scan time.
About this task
The number of tests which AppScan® sends during a scan can reach the thousands. Sometimes it is preferable to reduce scan time by limiting the scan to certain types only. This is Test Policy.
AppScan® comes with a Default Test Policy, and with some additional Test Policy configurations that you can select. You can also use your own User-Defined Test Policies.
The Test Policy step of the wizard shows the name of the Test Policy that the current policy is based on, and its description.
Procedure
- Check that the Test policy is appropriate for your needs. (If you are in doubt, leave the Default Test Policy.)
- To load a different Test Policy, click on one of the Pre-Defined Policies or Recent Policies in the Policy Files pane. For details see Test Policy view.
- Send tests on login and logout pages: By default, AppScan will test your login
and logout pages along with the rest of the application. You should
leave this default configuration, unless:
- Your application has safeguards that lock out users who provide illegal input on these pages, or
- Your application flow would be altered if these pages were tested
If you are unsure how your application will respond to these tests, leave this option selected.
- Do not send session identifiers when testing login pages: (This check box is active, and selected by default, only if the
previous check box is selected.) It is recommended to leave this check
box selected, since session identifiers could limit test success when
testing login pages. Clear it only if you are sure that valid session
tokens are necessary to test your login pages.
If you are unsure how your application will respond, leave this option selected.
- Click Next.