A Scan Policy is a list of web application security scan settings. When you want to run a Scan, you attach it to a Scan Policy.
Even though Netsparker Enterprise is an online web application security service, it is also a fully configurable web application security scanner. Every aspect of a security scan can be configured using a Scan Policy, including:
- Which web vulnerability checks should run during a scan
- HTTP connection options
- Predefined form values
- URL rewrite rules
- Autocomplete options
- Crawling and attacking options
- What reports should be generated
- How issues are managed
What you configure in the Scan Policy can have an impact on duration of the scan, so it is important to optimize your Scan Policies. For further information, see Optimize Netsparker Scan Policies and Automatically Optimize Scan Policies.
The main advantages of having Scan Policies are:
- Web application security scans take much less to complete.
- Less bandwidth is consumed during a scan.
- Much less stress is generated on the web application.
- They can be reused in future scans, rather than reconfiguring each time
- You can disable the web security checks that are irrelevant to your scenario
Default Scan Policies
Default Scan Policies cannot be modified or deleted. However, you can clone a default (built-in) Scan Policy and modify the clone.
Netsparker Enterprise has the following built-in Scan Policies:
- Default Security Checks includes all Netsparker security checks (ideal if you are not familiar with the target web application)
- DotNet Policy is relevant for scanning .Net applications
- WAVSEPwhich is used to conduct test scans on the Web Application Vulnerability Scanner Evaluation Project
Netsparker Standard has the following built-in Scan Policies:
- All Security Checks includes all Netsparker security checks (ideal if you are not familiar with the target web application)
- All Security Checks (MS SQL) is recommended if the target web application uses Microsoft SQL Server as a database backend
- All Security Checks (MySQL) is recommended if the target web application uses MySQL database server as a database backend
- All Security Checks (Oracle) is recommended if the target web application uses Oracle server as a database backend
- All Security Checks (PostgreSQL) is recommended if the target web application uses PostgreSQL server as a database backend
- Extensive Security Checks contains all the security checks included in the All Security Checks scan policy and some additional attack patterns that are uncommon, edge case scenarios, including checks for DOM XSS vulnerability and Local File Inclusion), and tends to take a considerable amount of time because of the nature of such checks
How to Use Default Scan Policies in Netsparker Enterprise
- Navigate to the New Scan window.
- From the General tab, in the Scan Policy section, click the dropdown.
- Select the Scan Policy you want to use.
How to Use Default Scan Policies in Netsparker Standard
- Navigate to the Start a New Website or Web Service Scan dialog.
- In the Scan Policy section, click the dropdown arrow. A list of default Scan Policies is displayed.
- Select the one you want to use.