Qualys SECURE Seal FAQ
- Do I need to install anything on my website to use Qualys SECURE Seal?
- How does Qualys SECURE Seal work?
- Can the Qualys SECURE seal be customized for display on our website?
- How do I find guidelines for displaying the seal on my website?
- How often will our website be tested?
- What happens when an issue is detected?
- What types of issues will take a website out of compliance for Qualys SECURE Seal?
- Why is my website failing with a single vulnerability that lists my blacklisted resources?
- Does Qualys SECURE Seal provide remediation instructions to fix network perimeter and web application vulnerabilities?
- How do Seal scans compare to individual VM and WAS scans?
- Upon scanning my website with SECURE Seal, I am getting numerous emails as a result. How do I stop these emails?
- My SECURE Seal scans identify different perimeter/certificate findings for my website when a new scan was run. Why is this?
- What should I do if malware is found on my website?
- How do I change my password?
- Will Qualys use this scan data for any other purposes?
Do I need to install anything on my website to use Qualys SECURE Seal?
Yes. Once you have created your account and entered your website domain, you are given a snippet of HTML code that you embed on your site. Qualys SECURE Seal will analyze your website from our servers in the cloud with no need for any software to be installed on your web server.
How does Qualys SECURE Seal work?
The Qualys SECURE Seal is simple to install. After purchasing and signing up, you receive a snippet of HTML that you embed on your site. The Qualys SECURE Seal trustmark will automatically be displayed on your site after your sites passes a Qualys SECURE Seal scan consisting of the following:
Evaluates the website for malicious software that could infect site visitors.
Network Perimeter Vulnerability Scan
Identifies externally facing vulnerabilities on the web server that allow attackers to access specific information stored on the host.
Web Application Vulnerability Scan
Scans for vulnerabilities in dynamic web applications, such as SQL, to ensure consumers interact with websites that safeguard their personal information.
SSL Certificate Validation
Validates the website’s SSL certificate is valid and current.
Can the Qualys SECURE Seal be customized for display on our website?
No. Do not modify the Qualys SECURE Seal trustmark in any way. See the SECURE Seal Usage Guidelines for details on displaying the trustmark. This document outlines the seal specifications and display requirements (sizing and clear space).
How do I find guidelines for displaying the seal on my website?
Please see the SECURE Seal Usage Guidelines document for information about displaying the seal on your website.
How often will our website be tested?
Qualys will automatically scan you site on a recurring basis:
- Malware Scan – daily
- Network Perimeter Vulnerability scan – weekly
- Web Application Vulnerability scan – weekly
- SSL Certificate Validation – weekly
You may also scan your site “on-demand” at any time.
What happens when an issue is detected?
If Qualys SECURE Seal indentifies an issue during a scan, you are sent an email notification. The email directs you to login to the Qualys SECURE Seal portal to review and fix the security issues(s) identified by the scan.
The Qualys SECURE Seal trustmark is only displayed by merchants who remediate discovered malware and critical vulnerabilities from their website within the specified grace period of 72 hours. Should the issues(s) remain unresolved beyond 72 hours, the Qualys SECURE Seal trustmark will be revoked and no longer displayed until the problems have been resolved. You may re-scan your site at any time via the Qualys SECURE Seal portal.
What types of issues will take a website out of compliance for the Qualys SECURE Seal service?
Qualys SECURE Seal indentifies malware and vulnerabilities when the scan is conducted. The Qualys SECURE Seal will be removed if security issues, including but not limited to the following, are detected:
- Malware of any type
- Validation issues associated with the SSL Certificate
- Critical severity Perimeter Vulnerabilities
- Cross-Site Scripting (XSS) issues
- Susceptibility to SQL Injection, Command Injection, HTTP Response Splitting, Local or Remote File Inclusion Vulnerabilities
- The login form is not being submitted over an encrypted channel
Why is my website failing with a single vulnerability that lists my blacklisted resources?
Your website will fail our security tests if you have added a list of blacklisted resources for your website. The finding will report a list of the blacklisted resources which were defined for the website at the time of the scan. Important: When there are blacklisted resources, all SECURE Seal scans will fail and the seal will not be displayed on your website. To display the seal you must follow these steps: 1) Go to the website details, 2) Click "Edit WAS Scan Options" under Actions and remove all of the site's blacklisted resources, and 3) Launch a SECURE Seal scan. You can wait for the next scheduled scan or click "Scan Now" to start the scan right away. If there are pages that you believe should not be included in the Seal Scan, please select ‘Request Exception’ in the management portal.
Does Qualys SECURE Seal service provide remediation instructions to fix network perimeter and web application vulnerabilities?
Yes. Qualys provides links to fixes or workarounds from scan results to help network administrators remedy vulnerabilities. Our Security Engineers have validated each solution in our vulnerability lab to ensure that they function as specified for the appropriate operating system.
How do Seal scans compare to individual VM and WAS scans?
All Seal scans are run from the cloud and examine only internet facing websites. Seal uses the URL of the website to identify the target. There are no configuration options for Seal scans in contrast to both VM and WAS scans which both have a wide range of configuration options.
The Seal VM scan begins with TCP and UDP host discovery using the ‘Standard Scan’ configuration in VM, which examines approximately 1900 TCP ports and 180 UDP ports. Once the port discovery is completed a complete vulnerability scan is conducted. The scan is done intelligently, meaning that the discovery results and ongoing scan results will guide the subsequent scans. For example, it the scans show that the Web Server is a Microsoft IIS Server then the vulnerability scan will not launch checks against a Linux web server.
Seal WAS scans cover a subset of the full WAS scans, returning results for the most critical vulnerabilities.
Upon scanning my website with SECURE Seal, I am getting numerous emails as a result. How do I stop these emails?
You have encountered a form on your website that is designed to send emails. When the service is scanning for web application vulnerabilities, the web crawler exercises these forms. In order to prevent the emails from being sent, you will need to update your website's source code. This can be done as follows:
- Modify your website's code for the forms to NOT send emails. This is best business practice.
- Add a spam rule to your website's code to throw away emails from "email@example.com", or emails from your website that have the value "firstname.lastname@example.org" in them. This is the default email address that the SECURE Seal web application scanner uses for injecting email form fields.
- Add a list of blacklisted resources for your website while you are remediating security issues. Go to the website details section and click "Edit WAS Scan Options" under Actions. You have the ability to add a list of blacklisted resources for WAS scans. Important: When there are blacklisted resources, all SECURE Seal scans will fail and the seal will not be displayed on your website. To display the seal you must first remove all of the site's blacklisted resources, and then launch a SECURE Seal scan.
The SECURE Seal service needs to run security tests on all forms it encounters on a website to be sure all forms are not susceptible to SQL injection, Cross-Site Scripting (XSS), or other security issues.
My SECURE Seal scans identify different perimeter/certificate findings for my website when a new scan was run. Why is this?
When you added your website, if you selected the option "Let Qualys Choose Each Time" the service selects an IP address each time you run a SECURE Seal scan based on the network information available at the time of the scan. It's possible that your scans target different IP addresses when you run your scans. In this case the perimeter findings and the certificate findings may be different and this may cause your SECURE Seal scans to fail.
What should I do if malware is found on my website?
If malware is detected on your website there are many ways that it can be hiding in your source code. Please carefully review the malware details provided by the Malware Detection Service.
The ideal way to remove malware is to use a known, clean backup to restore your site. You need to be certain that the backup is clean and no changes have been made to the site since the backup.
To remove malicious code, remove the suspicious block of script identified by the service in the malware details. You can look at malware details per web page in the malware scan details. Alternatively you can look at malware details by Qualys ID [QID] in the malware findings section and once you verify that the block of script doesn’t belong, that section should be removed.
These are additional ways you can identify malware within an affected web page:
- Identify a block of script that is completely obfuscated. This means you see a bunch of random characters or numbers inside script tags on your page. One way to find such blocks of script is to search for “eval ( base64_decode(“, which will be followed by the obfuscated code.
- Look for cases of “<script src=” followed by a site or file that you don’t recognize as valid. To verify that a script file has been compromised, look a the contents of the script file and try to identify things that are out of place.
- Look for every “<iframe src” tag on your page and locate any that don’t belong. This “src” will usually point to a site not in your control and this is typically hidden using tags like “height=0 width=0” or “style=display.none”. Be aware that advertisers tend to use similar methods when doing legitimate ad tracing.
- Identify new files with suspicious or unknown names. Some files may also be in a suspicious location, such as .php file in your /images folder.
Once you have cleaned up your website, please rescan using the SECURE Seal service to verify the malicious content is gone (see Remediation). Important Note: While fixing your website code cleans up the website, it probably doesn't close the hole that allowed the content to get there in the first place. Please ensure your machines are fully patched and any vulnerabilities identified in the SECURE Seal VM and WAS scans are remediated.
How do I change my password?
in the upper right of the management portal, under the “Welcome (your name)” drop down is a selection to change your password. Simply enter your current password and the new password [twice].
Will Qualys use this scan data for any other purposes?
Yes. The scan data will be used in aggregate with other scans to improve the accuracy of the scanning service and to identify new threats and trends across the internet. The scan data is securely stored and handled. All use of the data is fully anonymized and can’t be tracked to any specific IP address or website, so there is no danger of information about your website ever being disclosed.