ASM Sensitive Parameter Import?

Not logging requests is not really an option as you will be willingly stopping any ability to audit and investigate issues, also potentially breaking regulatory requirements.

I am surprised you actually have 4000 uniquely named sensitive parameters in your application, is it some sort of a medical/health form ?

Remember that first of all if these parameters are form variables they might all have a common prefix (e.g. if your parameter is called "frmHealth_NumberOfHospitalAdmisonsInLast3Years" and all others start from "frmHealth_" you can just create a Wildcard sensitive parameter "frmHealth_*" and that will do the job - easy!

However, if all your sensitive parameters have unique names with no common pattern and cannot be grouped together using a wildcard then you will indeed need create them in the policy individually. It is tricky and requires some work with text editors/Excel/ but it can be done.

Here is how you can import them:

• first of all Export your ASM policy as XML (do not tick the Compact Format)
• obtain the full list of your sensitive parameters (e.g. in text or Excel format)
• open the exported XML policy file using a goot text editor, for example Notepad++

• find the section named "sensitive_parameters" - you will see that your existing sensitive parameters are in this format:

  ``` `password `

• prepare your parameters to be imported to be in the same format (e.g using Excel and concat command), so each parameter you need to import looks like this:

  **mySensitiveParameterNameHere**

• copy paste your list of parameters in the above XML format into the XML policy document just after the last

  tag

• import the XML policy back into ASM

• Done!

Hope this helps,

Sam