Policies

You can create or use pre-defined policies to filter issues discovered in scans, and associate one or more policies with an application.

ASoC currently includes six pre-defined policies. You can create your own custom policies using our predefined functions. Policy creation and management is available through the user interface and through the REST API.
Note: When you associate one or more policies with an application, the policy is enabled by default. You can disable the policy while maintaining the association, and re-enable it later.
Note: When a policy is deleted, all associations are removed.

Predefined policies and functions

Currently there are six pre-defined policies and eight pre-defined functions. All pre-defined policies are available through the user interface as well as through the API.
Table 1. Pre-defined Policies
Report Name Description
Baseline Identifies issues discovered after the date set in the StartDate parameter.
CWE/SANS top 25 Identifies issues defined by the SANS Institute and Common Weakness Enumeration (CWE) list as one of the top 25 most critical errors that can lead to vulnerabilities in software.
European Union General Data Protection Regulation (GDPR) Identifies issues that could render the application out of compliance with the General Data Protection regulation that becomes enforceable in May 2018.
HIPAA Identifies issues that fail to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
OWASP top 10 2017 Identifies issues defined by the Open Web Application Security Project (OWASP) as one of the top ten most critical web application security risks.
PCI compliance Identifies issues that fail to comply with the Payment Card Industry (PCI) data security standard.
Table 2. Pre-defined Functions
Name Parameters Description
StartDate Date (can include time) in one of the following formats:
  • "yyy-MM-dd"
  • "yyyy-MM-ddThh:mmZ" (UTC)
  • "yyyy-MM-ddThh:mm+hh:mm" (local time +/- UTC offset)
Returns issues discovered after the specified date (and time).
Examples:
Date only
2018-04-24
UTC time
2018-04-24T10:30Z
Local time +/- UTC offset
2018-04-24T11:30+01:00

2018-04-24T07:30-03:00

MinSeverity Severity in format: "Information | Low | Medium | High | Critical" Returns issues equal to or of greater severity to the specified parameter.
OwaspTop10_2017 N/A Returns issues defined by OWASP as a top 10 security risk.
SansTop25 N/A Returns issues defined by SANS Institute as a top 25 critical error.
EUGdpr_2016 N/A Returns issues that render the application out of compliance with the GDPR.
CWE List of CWE IDs Returns issues that correspond with the specified CWE IDs.
PCI N/A Returns issues that render the application out of compliance with the PCI data security standard.
HIPAA N/A Returns issues that render the application out of compliance with HIPAA.