We are considering maintaining a set of Active Scan Policies that will be included with all ZAP releases.
These will be define the rules and associated strengths and thresholds that we recommend using in different situations.
You will, of course, be still be able to define whatever policies work for you :)
The policies we have so far are (the names may well change):
All Rules:
- A very simple policy that includes all of the rules you have installed.
Developer CI/CD:
- The essential rules we recommend for use in CI/CD.
- No pentester focused rules
- No high false positives
- No long running rules
- Less focus on web server level checks
Developer Standard:
- The rules we recommend for scheduled scans in development.
- As "Developer CI/CD" but with more coverage
Developer Full
- As "Developer Standard" but with more coverage
- Ideal for companies who want to check everything relevant at this stage
Q/A Standard:
- The rules we recommend for scheduled scans in QA.
- As "Developer Standrard" but with more web server level checks
QA Full
- As "Developer Full" but with more web server level checks
- Ideal for companies who want to check everything relevant at this stage
OWASP Top 10
- All rules that apply to the latest OWASP Top 10
- To be honest we dont think this is a particularly good set, but many people seem to want it for complience :/
CASA
The plan is for these policies to be defined in a new ZAP add-on.
This add-on would be included in all ZAP packages from the next release (2.16.0).
Some questions for you:
- Do these policies look useful to you?
- Do you think the definitions are correct?
- Are there any other policies you would like us to maintain?
- Any other feedback?
Many thanks,
Simon