A Scan Policy is a set of instructions for the web scanner and crawler on what they should do during a web application security scan. In a Netsparker Cloud Scan Policy you can configure the list of web security checks the target website should be scanned for, crawling & attack, HTTP connection, autocomplete and several other settings.
The Need to Optimize Scan Policies
Before looking into how to manage the scan policies in Netsparker Cloud, it is important to point out that what you configure in the Scan Policy can have an impact on duration of the scan, hence it is important to optimize the scan policies. You can read more about this subject in the post Optimize Netsparker Scan Policies for Quicker and More Efficient Web Application Security Scans.
Use the Scan Policy Optimizer for Automated Optimization
Netsparker Cloud online web application security scanning service has a built-in wizard based Scan Policy optimizer which you can use to automatically create a Scan Policy for your target website(s) within just a few seconds. Should you wish to manually optimize the Scan Policies you can still do so as explained in this post.
Managing Scan Policies in Netsparker Cloud
You can manage the Netsparker Cloud scan policies from the Scan Policies node in the Policies menu.
Default Scan Policies in Netsparker Cloud
By default Netsparker Cloud has the following Scan Policies:
- Default Security Checks which includes all the security checks.
- DotNet Policy which can be used to scan .Net applications.
- WAVSEP which can be used to perform test scans on the Web Application Vulnerability Scanner Evaluation Project.
Default Scan Policies cannot be modified or deleted. If you would like to modify a default Scan Policy click the Clone button next to the Scan Policy name, modify it as per your requirements and save as a new scan policy.
Creating a New Scan Policy
To create a new Scan Policy you can either clone an existing Scan Policy by clicking Clone next to an existing scan policy name or create a new one by clicking New Scan Policy.
In the New Scan Policy page specify a name and description. Should you wish other users to use your scan policy tick the option Is Shared. For more information on sharing scan policies refer to the section Sharing Scan Policies further down in this post.
Configuring the List of Security Checks
By default all the security checks will be enabled in a new Scan Policy. Browse through the list and disable the security checks you do not want to run during a web security scan.
Configuring All the Other Options
All the other options in the Scan Policy such as the Crawling, Attacking and Ignored parameters will retain the default values unless configured otherwise. Hence you only need to configure those options you want to change.
Sharing Scan Policies
The Scan Policies you create will be tagged as Mine and by default they can only be used by you, hence why they are also tagged as Private.
If when creating a Scan Policy you tick the option Is Shared specify with which groups the Scan Policy should be shared so anyone who has access to such groups can use your Scan Policy. By sharing your Scan Policies users can use and clone your Scan Policy but they cannot modify it.
Scaling Up and Netsparker Cloud Scan Policies
You might not necessarily need to optimize the Scan Policies when scanning a small number of websites, especially if they are not complex web applications. Though when scaling up and you have to scan 100s or 1000s of websites you cannot afford not configuring Scan Policies. The time you need to configure the Scan Policies will be much less than the time the scanner needs to scan complex websites. And anyway, with the automated Scan Policy optimizer it will only take you a few seconds to optimize the Scan Policies.