Getting Started Guide: Web Application Scanning
SANS Survey on App Security Programs & Practices
Web App Security — How to Minimize the Risk of Attacks
Web Application Security via the Cloud
Scale seamlessly from a handful of apps to thousands
Cloud automation, no hardware to deploy
Fast setup, always up-to-date
No specialized expertise required
Identify OWASP Top 10 Risks
Accurately find OWASP vulnerablities and learn how to eliminate them
Scan for SQL Injection, XSS, CSRF, URL redirection, etc.
Qualys is a Premier Corporate Member of OWASP
Find Hidden Malware
Automatically find and eradicate malware infections on your websites
Continuously monitor your websites for new infections with regularly scheduled scans and email alerts
Protect With Qualys WAF
Find vulnerabilities with WAS, then mitigate with WAF from the same place
Block direct access to app servers
Add security without modifying apps
“We found Qualys WAS ideal for our
need to assess thousands of websites with
Qualys Web Application Scanning
Qualys Web Application Scanning (WAS) is a cloud service that provides automated crawling and testing of custom web applications to identify vulnerabilities including cross-site scripting (XSS) and SQL injection. The automated service enables regular testing that produces consistent results, reduces false positives, and easily scales to secure a large number of websites. Proactively scans websites for malware infections, sending alerts to website owners to help prevent black listing and brand reputation damage.
Why Qualys WAS?
Built on the world’s leading Cloud security and compliance platform, Qualys WAS frees you from the substantial cost, resource and deployment issues associated with traditional software products. Known for its fast deployment, ease of use, and unparalleled scalability (scan thousands of web applications), Qualys WAS is relied upon by leading companies around the world.
Global Scalability and Manageability.
As part of the award-winning Qualys Cloud Platform, Qualys WAS helps you truly reduce risk by automatically finding the official and “unofficial” apps that may be hiding in your environment.
- Immediate deployment — no hardware to set up, always up-to-date
- Global scalability — add more apps anytime, throughout the world
- Multiple, unified solutions — one console for WAS, WAF, VM and more
- Centralized management — apply policies consistently across apps
- XML APIs — publish data to other enterprise systems (e.g., SIEM)
Automated, Dynamic Deep Scanning.
Application Discovery and Cataloging
Find New and unknown web apps in your network
Web applications can be put onto your network by almost anyone in your organization – and can just as easily be forgotten (large organizations can have hundreds or even thousands of apps). Qualys WAS helps you truly reduce risk by automatically finding the official and “unofficial” apps that may be hiding in your environment.
Customizable Asset Tagging
Organize your data and reports with your own labels
As the number of web apps in your organization grows, keeping them organized is critical to proper security. With Qualys WAS, you can tag your applications with your own labels and then use those labels to control reporting and limit access to scan data.
Scan applications everywhere (perimeter, internal networks and
Amazon EC2) accurately and efficiently.
Scalable, High-Accuracy Progressive Scanning new
Save time, keep focused on what matters most.
Qualys WAS is designed to reliably find true vulnerabilities without wasting your time with false findings. You can detect OWASP Top 10 risks such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF) and URL redirection – then prioritize them and focus on the issues that will have the most impact. Scans automatically update vulnerability statuses to provide you with key information about what issues are new, ongoing and fixed. And with the new Progressive Scanning option, you will get even better coverage over multiple scans and enable continuous testing of your web applications.
Automatically login to test like a real user.
Simply specify a username and password; Qualys WAS automatically identifies login forms and authenticates so that scans operate as if they were real users. Multiple web app authentication methods (including Form, HTTP Basic, HTLM and Digest) provide compatibility with a wide range of applications. For advanced authentication, login actions can be recorded and played back through Selenium, the open source browser automation system that is widely used for web app functional testing.
MultiScan, Scheduled & On-Demand Scanning new
Scalable scans scheduled for exactly when you want them.
With MultiScan you can scan hundreds to thousands of scans with a few clicks. You can start scans whenever you want, immediately or schedule them to run at some time in the future. You can even control how long scans are allowed to run so that they fit into allotted maintenance times.
Find hidden malware before it attacks your users.
Protect your organization’s reputation and your users security by rooting out malicious code and content that’s been hidden in your website or applications. Advanced behavioral analysis helps identify even zero-day malware that eludes anti-virus and anti-spyware packages.
Incorporate Penetration Testing Data
Keep web app testing data in one place.
Store your web app testing data in one place, whether it’s from manual penetration testing tools such as Burp Suite or Qualys automated scans. Avoid reinventing your manual tests and get a complete view of vulnerabilities across your applications.
Identify the highest business risks and take action.
Industry Standard Reporting (OWASP)
Zero in on OWASP Top 10 Risks.
The Open Web Application Security Project (OWASP) Top 10 list has become the industry standard for categorizing the most critical risks faced by web apps. Qualys WAS enables you to accurately find these vulnerabilities – including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF) and URL redirection – and learn how to efficiently eliminate them. Qualys is a Premier Corporate Member of OWASP.
Highly-Customized Reporting new
Get the big picture and drill into the details.
Take your scan results from data to insights to action in minutes. With Qualys WAS’s highly-customizable, interactive reporting, you can perform powerful analyses of your scans across many applications at once and tailor how the results are presented to different audiences with customized report templates.
Unified, Interactive Dashboard
Understand the security of your apps at a glance.
See a comprehensive view of completed scans, reports and identified vulnerabilities on a single screen. With Qualys WAS, you can scan applications anywhere – inside your network, hosted on the Internet, or based in the Cloud – and manage the results together.
Rapidly harden web apps with integrated WAF.
Complete Web Security with WAF Integration
Detect with WAS, protect with WAF.
Qualys WAF works together with Qualys Web Application Scanning (WAS) to provide true, integrated web application security. From a single console, you can detect application vulnerabilities with WAS and then rapidly protect them from attack with WAF, even at global scale. The Qualys Cloud Platform keeps everything in sync, avoiding the redundancies and gaps that come with trying to glue together separate, siloed solutions.
Integrate scan data into other security systems.
A rich set of APIs lets you use the results of your web application scans as a source of valuable information for your other security and compliance systems. Use Qualys WAS with web application firewalls (WAF), security information and event management (SIEM) and enterprise risk management (ERM) solutions.