Absent Member.
Absent Member.
8857 views

Should we use Standard policy or Mobile policy to scan a mobile web site?

Jump to solution

Should we use Standard policy or Mobile policy to scan a mobile web site?

It is valid to capture request by Web Proxy by operating in the web site in laptop or must send from mobile device?

0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Hard to say, but I think either will work acceptably for the Mobile Web Site Scan.  We always used Custom Header tricks (User-Agent) and the Standard Policy in the days before the Mobile Policy came into being...

From the Policy Manager, here are the Policy Descriptions for those two.  The Standard Policy is the de facto Policy for all scans, and it is a balance between Speed and Thoroughness, targeting bot the Application and the Platform.

Mobile Policy:

A mobile scan will detect security flaws based on the communication observed between a mobile application and the supporting backend services.

Standard Policy:

A standard scan includes an automated crawl of the server and performs checks for known and unknown vulnerabilities at the web server, web application server and web application layers.  A standard scan does not run checks that are likely to create denial-of-service conditions, so it is safe to run on production systems.

Switching over to the Guided Scan Wizard and the WebInspect Help (F1), we find these details.  However, either template still defaults to using the Standard Policy.   😕

Mobile Scan Template

Using the Mobile Scan template to create a mobile Web site scan allows you to scan the mobile version of a Web site using the desktop version of your browser from within WebInspect or WebInspect Enterprise.

(often referred to, yet different, when asking about Mobile scanning...)

Native Scan Template

WebInspect and WebInspect Enterprise allow you to scan the back-end traffic generated by your Android or iOS app or service. Traffic can be generated by running your application on an Android, Windows, or iOS device, or by running the software through an Android or iOS emulator.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Hard to say, but I think either will work acceptably for the Mobile Web Site Scan.  We always used Custom Header tricks (User-Agent) and the Standard Policy in the days before the Mobile Policy came into being...

From the Policy Manager, here are the Policy Descriptions for those two.  The Standard Policy is the de facto Policy for all scans, and it is a balance between Speed and Thoroughness, targeting bot the Application and the Platform.

Mobile Policy:

A mobile scan will detect security flaws based on the communication observed between a mobile application and the supporting backend services.

Standard Policy:

A standard scan includes an automated crawl of the server and performs checks for known and unknown vulnerabilities at the web server, web application server and web application layers.  A standard scan does not run checks that are likely to create denial-of-service conditions, so it is safe to run on production systems.

Switching over to the Guided Scan Wizard and the WebInspect Help (F1), we find these details.  However, either template still defaults to using the Standard Policy.   😕

Mobile Scan Template

Using the Mobile Scan template to create a mobile Web site scan allows you to scan the mobile version of a Web site using the desktop version of your browser from within WebInspect or WebInspect Enterprise.

(often referred to, yet different, when asking about Mobile scanning...)

Native Scan Template

WebInspect and WebInspect Enterprise allow you to scan the back-end traffic generated by your Android or iOS app or service. Traffic can be generated by running your application on an Android, Windows, or iOS device, or by running the software through an Android or iOS emulator.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.