Tool Mentor: Developing a Security Policy using IBM Rational AppScan
This tool mentor provides the main steps that you need to follow when you develop a security policy.
Tool: IBM Rational AppScan
Relationships
Related Elements
Main Description

Predefined Test Policies

The Policy Files pane at the lower left of the Test Policy view lets you select one of the recently used policies, or one of the predefined ones. The predefined policies provide a range of useful policies for common requirements.

Policy Name Description

Default

Includes all tests except invasive and port listener tests.
Application-Only Includes all application level tests except invasive and port listener tests.
Infrastructure-Only Includes all infrastructure level tests except invasive and port listener tests.
Invasive Includes all invasive tests (tests that might affect the server's stability).
Complete Includes all AppScan tests.
Web Services Includes all SOAP related tests except invasive and port listener tests.
The Vital Few Includes a selection of tests that have a high probability of success. This can be useful for evaluating a site when time is limited.
Developer Essentials Includes a selection of application tests that have a high probability of success. This can be useful for evaluating a site when time is limited.

Editing a Test Policy

You can make your own adjustments to the current Test Policy by adding or deleting tests. You can, and export the configuration as a user-defined test policy for future use.

To edit a Test Policy:

  1. In the Scan Configuration dialog box, click Test Policy (or select Scan Configuration Wizard > Test Policy). The upper area lists all of the IBM® Rational® AppScan® tests, and indicates which are included in the current scan (check box selected).
  2. Include and exclude tests or variants by selecting or clearing the check box(es). (To view individual variants, click the + icon next to a test Name.)
    • For each test, Name, Severity, Type, Invasiveness, and Threat Class are shown. You can Sort tests by any of these fields by clicking the column header.
    • The Search facility lets you search for tests using free text search. Type the text into the Look for field, and click Find Now.
  3. In the Information field at the top left of the dialog box, you can edit the description field by typing in text.
  4. New tests are continually being added to AppScan's database of tests. By default, all new tests except Invasive tests are added to all user-defined test policies. However, you can define which groups in your policy will be updated:
    • Click Update Settings, select or clear check boxes in the Test Policy Update Settings dialog box as required, then click OK.
    • The dialog box contains three groups: Test Type, Test Invasiveness, and Test Severity. Only the tests that belong to a selected category in all three groups will be added to the current policy, when new tests are added to your AppScan database of tests.
    • For example, if you select High Severity, but clear Invasive, high severity, invasive tests will not be added to this policy when updates become available.
  5. You can optionally give the scan a name and save it for future use (click Export, and save it in .policy format).
  6. Click OK to save the changes to the current Test Policy.

Exporting a Test Policy

To export a Test Policy:

  1. In the Scan Configuration > Test Policy view, edit the policy as required.
  2. Click Export.
  3. Type a name for the policy, and click Save. The file is saved as a .policy file.