Policies

You can apply the pre-defined policies - as well as your own custom policies - to show only data for the issues that are relevant for you.

ASoC currently includes sixteen pre-defined policies. You can also create your own custom policies using our predefined functions. Policy creation and management is available through the user interface and through the REST API. You can associate up to five policies with any application. In addition you can apply a "baseline policy", that will take account only of issues found after a specified date and time.
Note: When you associate a policy with an application, it is enabled by default. You can disable the policy while maintaining the association, and re-enable it later.
Note: When a policy is deleted, all associations are removed.
Note: If no policies are enabled, an application is considered compliant only if there are no active issues with severity Critical, High, Medium, or Low. You can associate and enable policies to override this default compliance.

Predefined policies

Currently there are six pre-defined policies and eight pre-defined functions. All pre-defined policies are available through the user interface as well as through the API.

Predefined policies:
  • CANADA Freedom of Information and Protection of Privacy Act (FIPPA)
  • CWE/SANS Top 25 Most Dangerous Errors
  • EU General Data Protection Regulation (GDPR)
  • International Standard - ISO 27001
  • International Standard - ISO 27002
  • NIST Special Publication 800-53
  • OWASP Top 10 2017
  • OWASP Top 10 Mobile 2016
  • Payment Application Data Security Standard
  • PCI Compliance
  • US DISA's Application Security and Development STIG. V4R10
  • US Electronics Funds and Transfer Act (EFTA)
  • US Federal Information Security Mgmt. Act (FISMA)
  • US Health Insurance Portability and Accountability Act (HIPAA)
  • US Sarbanes-Oxley Act (SOX)
  • WASC Threat Classification 2.0

Baseline policy

Baseline policy calculates compliance based on issues found in the application for the first time after a set date. Unlike the predefined policies, a baseline policy is specific to a single application.

Baseline policy does npt count as one of the five policies that can be associated with an application. You can have five associated policies and also a baseline policy.

To set a baseline policy for an application:
  1. On the Applications page, click an application name to open the application's page.
  2. At the upper right corner of the page, click Configure icon > Manage policies.
  3. Click Add baseline policy (or, if one already exists, Update baseline policy).
  4. Adjust date and time as needed, then click Set baseline.
Note: If you promote a personal scan in an application with a baseline policy dated after the personal scan ran, issues found in the scan will not change the status of the application. This is because the issues are counted from when they were discovered, not when the scan was promoted.

Custom policies

You can create your own custom policies. For details, see Creating custom policies.