Creating custom policies

If you have the required permissions, you can create/delete your own custom policies.

A policy is defined using JSON expression tree. This can consist of a single basic expression, or multiple expressions with a logical operation (And, Or, Not). Each basic expression consists of a pre-defined function, and its parameter (if required). You can either set the parameter value when creating the policy, or use $ to leave it undefined. When a parameter is undefined the user will be required to provide the value when associating the policy with an application.
Note: When creating a policy that will be used through the user interface, you must define all parameters, otherwise it will not be possible to associate them with an application.
One advantage of creating a custom policy is that parameters can be hardcoded into the policy, enabling users to use the policy without defining the parameter each time. For example you can use the pre-defined Baseline policy to create a series of custom policies with specified Start Dates.

Predefined functions

The following pre-defined functions can be used in your policies:
Table 1. Pre-defined Functions
Name Parameters Description
StartDate Date (can include time) in one of the following formats:
  • "yyy-MM-dd"
  • "yyyy-MM-ddThh:mmZ" (UTC)
  • "yyyy-MM-ddThh:mm+hh:mm" (local time +/- UTC offset)
Returns issues discovered after the specified date (and time).
Examples:
Date only
2018-04-24
UTC time
2018-04-24T10:30Z
Local time +/- UTC offset
2018-04-24T11:30+01:00

2018-04-24T07:30-03:00

MinSeverity Severity in format: "Information | Low | Medium | High | Critical" Returns issues equal to or of greater severity to the specified parameter.
OwaspTop10_2017 N/A Returns issues defined by OWASP as a top 10 security risk.
SansTop25 N/A Returns issues defined by SANS Institute as a top 25 critical error.
EUGdpr_2016 N/A Returns issues that render the application out of compliance with the GDPR.
CWE List of CWE IDs Returns issues that correspond with the specified CWE IDs.
PCI N/A Returns issues that render the application out of compliance with the PCI data security standard.
HIPAA N/A Returns issues that render the application out of compliance with HIPAA.

Creating custom policies through the user interface

To create a custom policy:
  1. On the dashboard click Policies, then click Create Custom Policy.
  2. Give the policy a name, and define it as a JSON expression.
    Note: If the policy will be associated to applications through the UI, you must define any parameters when you create the policy, as it is not possible to define parameters when associating the policy. If the policy will be associated to applications using the API, you can leave the parameters undefined and define them when associating.

    Example 1: Custom baseline policy

    {  
       "Function":"StartDate",
       "Parameters":[  
          "2017-12-31T13:50Z"
       ]
    }
    

    Example 2: Custom CWE policy

    {  
       "Function":"CWE",
       "Parameters":[  
          89,
          90
       ]
    }
    

    Example 3: Composite custom policy

    {  
       "Operation":"And",
       "Expressions":[  
          {  
             "Function":"StartDate",
             "Parameters":[  
                "2018-04-24T10:30Z"
             ]
          },
          {  
             "Function":"MinSeverity",
             "Parameters":[  
                "Medium"
             ]
          }
       ]
    }
    

    Example 4: Custom policy to exclude CWEs 89 and 90

    {
        "Operation": "Not",
        "Expressions": [
            {
                "Function": "CWE",
                "Parameters": [
                    89,
                    90
                ]
            }
        ]
    }
    

    Example 5: Custom OWASP Top 10 policy excluding CWEs 89 and 90

    {
        "Operation": "And",
        "Expressions": [
            {
                "Operation": "Not",
                "Expressions": [
                    {
                        "Function": "CWE",
                        "Parameters": [
                            89,
                            90
                        ]
                    }
                ]
            },
            {
                "Function": "OwaspTop10_2017"
            }
        ]
    }
    
  3. When done, click Close

Creating policies through the REST API

In the REST API, a policy is defined using an expression tree. This can consist of a single basic expression, or multiple expressions with a logical operation (And, Or, Not). Each basic expression consists of a pre-defined function, and its parameter (if required). You can either set the parameter value when creating the policy, or use $ to leave it undefined. When a parameter is undefined the user will be required to provide the value when associating the policy with an application.

Example 1: Custom baseline policy

{
    "Name": "Baseline",
    "Predefined": true,
    "Expression": {
      "Function": "StartDate",
      "Parameters": [
        "$DATE"
      ]
    }
}

Example 2: Custom CWE policy

{
   "Name": "CWE policy",
   "Expression": {
     "Function": "CWE",
     "Parameters": [
       89,
       90
     ]
   }
}

Example 3: Composite custom policy

In this example of a custom policy, the functions StartDate and MinSeverity are included, with operation And, so that only Issues found after the specified date, and with the specified minimum severity, will be included.

  {
    "Name": "MyPolicy",
    "Predefined": false,
    "Expression": {
      "Operation": "And",
      "Expressions": [
        {
          "Function": "StartDate",
          "Parameters": [
            "2018-04-24T10:30Z"
          ]
        },
        {
          "Function": "MinSeverity",
          "Parameters": [
            "$minseverity"
          ]
        }
      ]
    }
  }