Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
5079 views

scan policies

Hi,
I understand the differences between standard, owasp and assault policies. But could someone list out the types of security checks that would be performed under each policy?
Labels (1)
0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

You can review the Policies with the included Policy Manager tool.  This offers several Views for the available checks, including Severity view, threat Classes view, and Attack Groups (the most granular).  There is also a Search function with permits you to mine select items within the attack database.

 

Each Policy is a general template of the available attacks that will be used during your scan.  The Standard policy is a good balance between Speed and Thoroughness, attacking both the Platform and the Application.  You cold save scan time by using the Application Only or the Platform Only policy.  The Criticals and Highs can be thought of as the "upper half" of the Standard policy.  Browsing through the other Policies, you can understand how they may be different from these.  Each one also offers a Description when you open it in the Policy Manager.

 

If you just want to know all the checks enabled, there is no direct method.  You might open the Securebase file with SQL Studio and query it, or run an interrupted Audit-Only scan using the All Checks policy and then generate an Attack Status report to list everything enabled.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.