Should we use Standard policy or Mobile policy to scan a mobile web site?

Should we use Standard policy or Mobile policy to scan a mobile web site?

It is valid to capture request by Web Proxy by operating in the web site in laptop or must send from mobile device?

  • Verified Answer

    Hard to say, but I think either will work acceptably for the Mobile Web Site Scan.  We always used Custom Header tricks (User-Agent) and the Standard Policy in the days before the Mobile Policy came into being...

    From the Policy Manager, here are the Policy Descriptions for those two.  The Standard Policy is the de facto Policy for all scans, and it is a balance between Speed and Thoroughness, targeting bot the Application and the Platform.

    Mobile Policy:

    A mobile scan will detect security flaws based on the communication observed between a mobile application and the supporting backend services.

    Standard Policy:

    A standard scan includes an automated crawl of the server and performs checks for known and unknown vulnerabilities at the web server, web application server and web application layers.  A standard scan does not run checks that are likely to create denial-of-service conditions, so it is safe to run on production systems.

    Switching over to the Guided Scan Wizard and the WebInspect Help (F1), we find these details.  However, either template still defaults to using the Standard Policy.   :-/

    Mobile Scan Template

    Using the Mobile Scan template to create a mobile Web site scan allows you to scan the mobile version of a Web site using the desktop version of your browser from within WebInspect or WebInspect Enterprise.

    (often referred to, yet different, when asking about Mobile scanning...)

    Native Scan Template

    WebInspect and WebInspect Enterprise allow you to scan the back-end traffic generated by your Android or iOS app or service. Traffic can be generated by running your application on an Android, Windows, or iOS device, or by running the software through an Android or iOS emulator.