Skip to main content

Policies

Central to Policy Management are Policies- rules that are the building blocks of your project's security. These rules set the safety standards for your projects. Policies are key to creating a strong and secure foundation for your applications.

You can create, edit, or delete a policy based on your permissions detailed in Access Control. See Permissions for more details.

Creating a Policy

Click Create a New Policy on the top right of the main page in the Policy Management Portal.

The only mandatory field to fill is the name of the policy. A description is optional but strongly recommended for organizational purposes.

Click Continue to navigate to the next stage, where you can create rules and conditions and associate projects with your new policy.

Note

A policy is only saved by clicking the Create Policy button.

Create Rules and Conditions

Rules help you specify what to watch out for in your projects. For instance, you could set a rule to trigger if any High results are found.

To add a rule, click Assign Rule when creating a policy. A new side view will pop up on the right. Start by giving your rule a name. Then, pick the entity type you want the rule to focus on, Vulnerability or Risk Score. This choice affects the conditions you can set for your rules.

Vulnerability

Vulnerability conditions work based on a scan's findings. Currently, there are three types (or subjects) of vulnerability conditions:

  • Severity

    • The severity of a result (Info, Low, Medium or High)

  • Result Status

    • The status of a result (New, Recurrent)

  • Vulnerability Name

    • The name of the vulnerable query (e.g., SQL_Injection)

When dealing with Severity and Status, conditions are based on numbers. You can use different mathematical signs to compare them to any non-negative whole number (including zero). For instance, you might set a rule like High > 0 to check for at least one High result in a scan.

For the Vulnerability Name, as it deals with text values, use the Contains operator to check if the text provided is present in the vulnerability name. In a basic check, it could be something like Vulnerability Name Contains SQL_Injection, or you could explore broader terms like Vulnerability Name Contains Injection, which would match any type of injection, such as an SQL_Injection or a Code_Injection.

Risk Score

After each scan, CxSAST assigns a Risk Score to the project, ranging from 0 to 100. This score indicates the level of risk, with 0 being the lowest and 100 the highest. To set a minimum standard for your projects, you can create a rule like Risk Score >= 75 to identify any project with a Risk Score greater than or equal to 75.

A policy can have one or more rules, and each rule can consist of one or more conditions. A rule is violated only if all its conditions are individually violated. However, a policy violation, which triggers a new incident, only requires one rule in the policy to be violated.

Associate a Project with a Policy

Link a Policy to a project during a policy creation or update. Click Assign Projects to open a side view on the right that shows all the CxSAST projects you can access. Select the projects to associate with the policy, or use the search bar for a quick project lookup if you don't see your project.

Editing a Policy

Any user with permission can edit a policy. Everything, including the name, can be changed. On the Policy Management Portal main page, hover over a policy, click Vertical_Ellipsis.png on the right, and select Edit Policy to open an editing mode similar to creating a policy.

Warning

If you lack permission to view all projects, be cautious while making changes to a policy. Your modifications may impact other associated projects without your awareness.

Deleting a Policy

Warning

Deleting a Policy is irreversible!

Any user with permission can delete a policy. On the Policy Management Portal main page, hover over a policy, click Vertical_Ellipsis.png on the right, and choose Delete Policy. A final confirmation prompt will appear.

Notice

When you delete a policy, any existing incidents related to that policy will still be retained.

Default Policy

A Default Policy is a unique policy automatically linked to all existing projects not associated with any other policy. After an initial scan of your project, you can see the policy's association in the Projects menu.

The Default Policy is mandatory; only one can exist and cannot be deleted. However, you can set a new policy as the Default. In this scenario, the projects connected to the previous Default Policy will maintain their connection. The same rules will also apply to the newly established Default Policy and will be identified accordingly.

When CxSAST Policy Management is initially deployed, it includes a Default Policy named No High Severity Vulnerabilities. This policy is designed to identify any project with at least one High result.

In this section: