Policies

You can create or use pre-defined policies to filter issues discovered in scans, and associate one or more policies with an application.

ASoC currently includes five pre-defined policies. You can create your own custom policies using our predefined functions. Policy creation and management is available through the user interface and through the REST API.

Note: When you associate one or more policies with an application, the policy is enabled by default. You can disable the policy while maintaining the association, and re-enable it later.

Note: When a policy is deleted, all associations are removed.

Predefined policies and functions

Currently there are six pre-defined policies and eight pre-defined functions. All pre-defined policies are available through the user interface as well as through the API.

Table 1. Pre-defined Policies
Report Name	Description
`Baseline`	Identifies issues discovered after the date set in the `StartDate` parameter.
`CWE/SANS top 25`	Identifies issues defined by the SANS Institute and Common Weakness Enumeration (CWE) list as one of the top 25 most critical errors that can lead to vulnerabilities in software.
`European Union General Data Protection Regulation (GDPR)`	Identifies issues that could render the application out of compliance with the General Data Protection regulation that becomes enforceable in May 2018.
`HIPAA`	Identifies issues that fail to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
`OWASP top 10 2017`	Identifies issues defined by the Open Web Application Security Project (OWASP) as one of the top ten most critical web application security risks.
`PCI compliance`	Identifies issues that fail to comply with the Payment Card Industry (PCI) data security standard.

Table 2. Pre-defined Functions
Name	Parameters	Description
`StartDate`	Date (can include time) in one of the following formats: "yyy-MM-dd" "yyyy-MM-ddThh:mmZ" (UTC) "yyyy-MM-ddThh:mm+hh:mm" (local time +/- UTC offset)	Returns issues discovered after the specified date (and time). Examples: Date only 2018-04-24 UTC time 2018-04-24T10:30Z Local time +/- UTC offset 2018-04-24T11:30+01:00 2018-04-24T07:30-03:00
`MinSeverity`	Severity in format: "Information \| Low \| Medium \| High \| Critical"	Returns issues equal to or of greater severity to the specified parameter.
`OwaspTop10_2017`	N/A	Returns issues defined by OWASP as a top 10 security risk.
`SansTop25`	N/A	Returns issues defined by SANS Institute as a top 25 critical error.
`EUGdpr_2016`	N/A	Returns issues that render the application out of compliance with the GDPR.
`CWE`	List of CWE IDs	Returns issues that correspond with the specified CWE IDs.
`PCI`	N/A	Returns issues that render the application out of compliance with the PCI data security standard.
`HIPAA`	N/A	Returns issues that render the application out of compliance with HIPAA.