Test policy and optimization

Define the collection of tests that will be sent to the application during testing; the test policy, and apply optimization for faster scans at times in the product lifecycle when speed is more important to you than scan depth.

Test policy

The number of possible AppScan tests for a site can reach the thousands. Rather than manually filter the large number of tests and test variants, you can set a "policy" for the type of tests you want to be run on your application.

The Test policy area shows the current policy for the scan. Click Edit to:

View details of the policy
Edit the policy to create a User-defined test policy of your own
Choose a different predefined policy, or a previously saved user-defined policy

In the dialog that opens, tests are grouped and listed in the upper of the two panes. How to fix suggestions for the selected test appear in the lower pane.

Tip: If you apply test optimization to the configuration, some of the vulnerabilities in your selected policy may not be tested for. Therefore, if you selected the "Complete" Test Policy, and want all its tests to be sent, you should set optimization to No optimization.


Field/Pane/Option	Details
Test Policy	Shows the name of the current Test Policy. Tests are grouped and listed in the upper of the two panes. The How to Fix information for the selected test appears in the lower pane.
Grouping method	Use the drop-down list to select a grouping method for the tests in the upper pane.
Search	Typing text into the Search field will display only tests that contain the search string. The Magnifying glass drop-down list lets you define whether to look for the string in all test fields, or only specific ones (such as Test Name or CVE ID.
Export	Click to save the current Test Policy so you can load it on another occasion.
Import	Click to load a predefined or user-defined Test Policy (see Importing a Test Policy).
Policy description	The upper-right pane shows the description of the current policy. For user-defined policies this field can be edited.
Test pane	The upper main pane lists all AppScan® tests that meet the filter/search criteria. For each test the following information is listed: Name, Variant ID, CVE ID, CWE ID, Severity assigned to the issue (and whether the severity is CVSS or user-assigned), XFID (X-Force ID), Type, Invasiveness, and threat classification. You can Sort tests by some of these fields, by clicking on the column header. Tests whose check box is selected are included in the current policy. You can edit the policy by selecting/deselecting tests (see Editing a test policy.
Update Settings link	This link opens a dialog box that lets you define which types of test can be added to this policy when new tests are added to the database. For details see Test policy update settings
How to Fix tab	The lower main pane shows details of how to fix the issue, including code-specific information where available.
Policy files	Load an existing Test Policy by clicking one of the Recent Policies, or Predefined Policies, or by clicking Browse... and browsing to the required policy.

Test optimization

Test Optimization uses AppScan’s intelligent test filtering to achieve faster scans, when speed is needed, with minimal loss of issue coverage. You choose between four optimization levels depending on your needs.

A full regular AppScan Standard scan typically sends thousands of tests and may take hours, in some cases days, to complete. During the early stages of development, or for a quick overall evaluation of the current security posture of your product, you can use Test Optimization to get the results you need in a shorter time frame, by choosing a balance between speed and issue coverage. There are three levels of optimization, and the table below shows some suggested use case for each level.

Our intelligent test filters are based on statistical analysis, and filter out certain tests – or even specific test variants – to produce a shorter scan that identifies the more common, severe and otherwise important vulnerabilities only. AppScan fix packs and ifixes keep you up-to-date with the latest optimization filters. Using Test Optimization can greatly reduce overall scan time when fast results are more important to you than a thorough, in-depth scan.

Test Optimization is applied to whichever Test Policy you select for the scan, so not all tests in the policy are sent. Note that the optimization setting makes no difference to the Explore stage, it is the (much longer) Test stage that can be greatly reduced.


Setting	Vulnerability coverage*	Test stage speed	Suggested use
No optimization	Maximum	Full length scan (as configured)	For security experts before a major releases, compliance testing, and benchmarks, when a longer scan will not interrupt your development workflow. With this setting all issues in the selected Test Policy are tested for.
Fast (default)	~97%	Up to twice as fast	For security experts for their more frequent scans.
Faster	~85%	Up to five times as fast	For DevSecOps, during ongoing evaluation.
Fastest	~70%	Up to ten times as fast	For Dev and QA during initial evaluation.

* Compared with an equivalent, non-optimized scan, and applies to actual Vulnerabilities, not Informational Issues.

Important: The values shown in the table above are estimates based on some typical applications, but the actual reduction in scan time and extent of issue coverage will vary depending on your specific application.

Tip: If optimization is applied, some of the vulnerabilities in your selected Test Policy may not be tested for. Therefore, if you are using the "Complete" Test Policy, and want all its tests to be sent, you should disable Test Optimization by selecting No optimization.