Security Automation, powered by the Cloud
Harden web apps against current & emerging threats
Find vulnerabilities with WAS, then mitigate with WAF
Block direct access to app servers
Add security without modifying apps
Address mandates such as PCI DSS 6.6 that require app firewalls
Block access from prohibited countries
Restrict transmission of sensitive types of content or files
Complement network DDoS defenses with protection against HTTP-based attacks
Avoid corruption of apps
Prevent loss of revenue
Preserve customer satisfaction
Cut Costs of
Reduce time, effort
& cost of securing
your web apps
Automate from the Cloud, no hardware to deploy
Be up and running fast, always up-to-date
Use without specialized expertise
Web Application Firewall
Qualys Web Application Firewall (WAF) is a next-generation cloud service that brings an unparalleled combination of scalability and simplicity to web app security. Its automated, adaptive approach lets you quickly and more-efficiently:
on web server vulnerabilities
of sensitive information.
where and when your applications are accessed.
Built on the world’s leading Cloud security and compliance platform, Qualys WAF complements the global scalability of Qualys Web Application Scanning (WAS). Together, they make identifying and mitigating web app risks seamless, whether you have a dozen apps or thousands. Qualys WAF can be deployed in minutes, supports SSL, and doesn’t require special expertise to use. It delivers a new level of web app security and compliance while freeing you from the substantial cost, resource and deployment issues associated with traditional products.
Global Scalability & Manageability
powered by the Qualys Cloud Platform
As part of the award-winning Qualys Cloud Platform, Qualys WAF is designed specifically to be efficient and easy to use, whether you have a few apps or thousands to protect.
- Immediate deployment — no hardware to set up,
- Global scalability — add more apps anytime, throughout
- Multiple, unified solutions — one console for WAF,
WAS, VM and more
- Centralized management — apply policies consistently across apps
- XML APIs — publish data to other enterprise systems
Integrated Web App Security:
Detect with WAS, protect with WAF
Qualys WAF works together with Qualys Web Application Scanning (WAS) to provide true, integrated web application security. From a single console, you can detect application vulnerabilities with WAS and then rapidly protect them from attack with WAF, even at global scale. The Qualys Cloud Platform keeps everything in sync, avoiding the redundancies and gaps that come with trying to glue together separate, siloed solutions.
Fast deployment for public or private cloud apps
With Qualys WAF, there is no special hardware to buy or maintain. Instead, virtual machine images containing Qualys WAF sensor software are deployed alongside your web applications (SSL or plain text) in either your public or private cloud environment. These sensor virtual machines scale seamlessly, so you can add new applications quickly and transparently. Application traffic stays within your environment, minimizing latency and allowing you to retain control.
Available in AMI format for Amazon EC2 and in OVA format for VMware vCenter, the WAF sensor virtual machines are fully managed by Qualys 24x7x365. They are easy to deploy, enabling you to start protecting your apps in 30 minutes or less.
Virtual patching and event response
With the latest version of Qualys WAF, users can now create “virtual patch” rules in direct response to their Qualys WAS findings, to enable rapid false positive resolution, as well as customization of security rules tailored for the organization’s environment. This helps customers better tune security policies, quickly remove false positives, and easily customize WAF security rules for web applications.
Qualys WAF also includes customizable event response, helping customers evaluate and create exceptions to web events to better prioritize and mitigate vulnerabilities, making it one of the first end-to-end web application security services to combine WAF security rules and policies with WAS data to address web application security threats.
Easy-to-use, adaptive security policies that are always up-to-date
Qualys WAF brings a new approach to web application security. You simply describe the level of security that you would like for each application with a few quick clicks, and Qualys WAF automatically figures out what to do and how to adapt to different situations. No specialized expertise is required, and there are no complicated rule sets to configure or maintain.
Customizable protection against current and future threats
Qualys WAF provides built-in protection against a wide range of attacks such as Cross-Site Scripting (XSS), SQL injection, corrupted requests, and more. You can easily tailor how Qualys WAF handles different types of threats, from simply logging to actively blocking them. As new threats emerge, additional defenses created by Qualys’ worldwide security experts are automatically added.
Protection against clickjacking, Cross-Site Scripting (XSS), and other browser-based attacks
In addition to defending your apps, Qualys WAF helps protect your users. With Qualys WAF, you can enable security features in modern web browsers – without having to modify your applications – to reduce the likelihood of:
- Cookie stealing
- Cross-site scripting (XSS)
Blocking access from prohibited countries or networks
Qualys WAF helps you comply with policies and regulations that prohibit access to certain types of web applications or information from particular locations. You can restrict access from specific countries or network address blocks, and even set hours of operation.
Preventing transmission of sensitive content or files
With Qualys WAF, you can block users from uploading or downloading content or files that are in formats that aren’t supposed to be used by your application. This can help you limit contamination of your web server and prevent the theft of administrative files (such as backups, source code, or data) that aren’t supposed to be accessed.
Visual dashboard showing status at a glance
Qualys WAF makes it easy to understand the security of all your applications at once. A concise, visual dashboard summarizes the various events that have occurred, when they took place, and where they came from to help you spot unusual patterns.
Interactive insights into potential threats
Qualys WAF categorizes each potential threat it detects according to a variety of attributes, including: the apps affected, severity, geographic location, source network address, how the threat was handled, and more. Interactive filters help you search for unexpected activity and determine how it impacts your applications.
Detailed understanding of each threat
Qualys WAF helps you investigate suspicious activity by providing detailed information about each potential threat it detects. With a click, you can see what happened as well as where and when it took place. Links to Qualys’ comprehensive KnowledgeBase provide additional information about each threat and how to address it.
Qualys is trusted by the majority of the Forbes Global 100
and thousands of organizations big and small!