Security test policies

A security test policy is a predefined set of security tests. Users must be assigned both a server group and a test policy before they can perform security scans.

Administrators do not need to be granted explicit access to a test policy, nor do they need to be assigned to a server group. There are two types of test policies available:

  • A Simple security test policy defines tests at a high level. You can create and edit simple test policies in AppScan® Enterprise Server and assign them to server groups.
  • An Advanced security test policy defines tests at a more granular level. You can import advanced test policies from AppScan® 7.7 (or higher) and assign them to server groups, but you cannot edit their properties:
    • Application only: Includes all application level tests except invasive and port listener tests.
    • Complete: Includes all AppScan® tests.
    • Default: Includes all tests except invasive and port listener tests.
    • Developer Essentials: Includes a selection of application tests that have a high probability of success. This can be useful for evaluating a site when time is limited.
    • Infrastructure only: Includes all infrastructure level tests except invasive and port listener tests.
    • Invasive: Includes all invasive tests (tests which might affect the server's stability).
    • Production Site: Excludes invasive tests that might damage the site, or tests that might result in Denial of Service to other users.
    • The Vital Few: Includes a selection of tests that have a high probability of success. This can be useful for evaluating a site when time is limited.
    • Third Party-Only: Includes all third-party level tests except invasive and port listener tests.
    • Web Services: Includes all SOAP related tests except invasive and port listener tests.

From AppScan Standard FAQ

What test policies can replace the Web Services, The Vital Few, and the Developers Essentials test policies when they are removed?
  • In version 10.0.5, it is announced about removing three test policies in a future release. The following methods can be used to obtain similar results. If you use these policies, you may wish to start using the suggested alternatives.
    Current Policy Suggested Alternatives
    Web Services Default

    The default test policy now covers web services, so a separate policy is not needed.

    The Vital Few Default

    Use the default policy together with the fastest Test Optimization setting.

    Developers Essentials Default

    Use the Application Only policy together with one of the faster Test Optimization settings.