Test Policy

Limiting the scan to the specific types of tests you want can reduce scan time.

About this task

The number of tests which AppScan® sends during a scan can reach the thousands. Sometimes it is preferable to reduce scan time by limiting the scan to certain types only. This is Test Policy.

AppScan® comes with a Default Test Policy, and with some additional Test Policy configurations that you can select. You can also use your own User-Defined Test Policies.

The Test Policy step of the wizard shows the name of the Test Policy that the current policy is based on, and its description.


  1. Check that the Test policy is appropriate for your needs. (If you are in doubt, leave the Default Test Policy.)
  2. To load a different Test Policy, click on one of the Pre-Defined Policies or Recent Policies in the Policy Files pane. For details see Test Policy view.
  3. Send tests on login and logout pages: By default, AppScan will test your login and logout pages along with the rest of the application. You should leave this default configuration, unless:
    • Your application has safeguards that lock out users who provide illegal input on these pages, or
    • Your application flow would be altered if these pages were tested

    If you are unsure how your application will respond to these tests, leave this option selected.

  4. Do not send session identifiers when testing login pages: (This check box is active, and selected by default, only if the previous check box is selected.) It is recommended to leave this check box selected, since session identifiers could limit test success when testing login pages. Clear it only if you are sure that valid session tokens are necessary to test your login pages.

    If you are unsure how your application will respond, leave this option selected.

  5. Click Next.

What to do next

Test Optimization