Test policy and optimization

Define the collection of tests that will be sent to the application during testing (the test policy), and apply optimization for faster scans at times in the product lifecycle when speed is more important to you than scan depth.

Test policy

The number of possible AppScan tests for a site can reach the thousands. Rather than manually filter the large number of tests and test variants, you can set a "policy" for the type of tests you want to be run on your application.

The Test policy field shows the current policy for the scan.

  • Click the drop-down, or Browse, to select a different policy
  • Click Manage test policy to view the details of the selected policy, edit it, or create a user-defined test policy of your own
Tip:
  • If you apply test optimization to the configuration, some of the vulnerabilities in your selected policy may not be tested for. Therefore, if you selected the "Complete" Test Policy, and want all its tests to be sent, you should set optimization to No optimization.
  • While you can enable specific tests on the test policy page, note that the actual tests sent during the scan might be influenced by your environment settings on the environment definition page. If certain tests are disabled or minimized based on your environment specifications (e.g., Windows vs. Linux), they will not be sent, even if they are enabled here.

Field/Pane/Option

Details

Test policy

Shows the name of the current Test Policy. Click the drop-down, or Browse, to select a different policy.

Manage test policy

Click to view the details of the selected policy, edit it, or create a user-defined test policy of your own. See Editing a test policy.

Test optimization

Test Optimization uses AppScan’s intelligent test filtering to achieve faster scans, when speed is needed, with minimal loss of issue coverage. You choose between four optimization levels depending on your needs.

A full regular AppScan Standard scan typically sends thousands of tests and may take hours, in some cases days, to complete. During the early stages of development, or for a quick overall evaluation of the current security posture of your product, you can use Test Optimization to get the results you need in a shorter time frame, by choosing a balance between speed and issue coverage. There are three levels of optimization, and the table below shows some suggested use case for each level.

Our intelligent test filters are based on statistical analysis, and filter out certain tests – or even specific test variants – to produce a shorter scan that identifies the more common, severe and otherwise important vulnerabilities only. AppScan fix packs and ifixes keep you up-to-date with the latest optimization filters. Using Test Optimization can greatly reduce overall scan time when fast results are more important to you than a thorough, in-depth scan.

Test Optimization is applied to whichever Test Policy you select for the scan, so not all tests in the policy are sent. Note that the optimization setting makes no difference to the Explore stage, it is the (much longer) Test stage that can be greatly reduced.

Setting Vulnerability coverage* Test stage speed Suggested use
No optimization Maximum Full length scan (as configured) For security experts before a major releases, compliance testing, and benchmarks, when a longer scan will not interrupt your development workflow. With this setting all issues in the selected Test Policy are tested for.
Fast (default) ~97% Up to twice as fast For security experts for their more frequent scans.
Faster ~85% Up to five times as fast For DevSecOps, during ongoing evaluation.
Fastest ~70% Up to ten times as fast For Dev and QA during initial evaluation.
* Compared with an equivalent, non-optimized scan, and applies to actual Vulnerabilities, not Informational Issues.
Important: The values shown in the table above are estimates based on some typical applications, but the actual reduction in scan time and extent of issue coverage will vary depending on your specific application.
Tip: If optimization is applied, some of the vulnerabilities in your selected Test Policy may not be tested for. Therefore, if you are using the "Complete" Test Policy, and want all its tests to be sent, you should disable Test Optimization by selecting No optimization.

See also: Understanding Test Optimization