Vulnerabilities in web applications are now the largest vector of enterprise security attacks. Stories about exploits that compromise sensitive data frequently mention culprits such as “cross-site scripting,” “SQL injection,” and “web site misconfigurations.” Vulnerabilities like these fall often outside the traditional expertise of network security managers. The relative obscurity of web application vulnerabilities thus makes them useful for attacks. As many organizations have discovered, these attacks will evade traditional enterprise network defenses unless new precautions are put into action.

Web application security vulnerabilities usually stem from misconfigurations or programming errors with a web application programming language (e.g., Java, .NET, PHP, Python, Perl, Ruby), a code library, design pattern, or architecture. These vulnerabilities can be complex and may occur under many different circumstances.

Introducing QualysGuard® Web Application Scanning

To help customers assess and track web application vulnerabilities, Qualys® is introducing a new member to the QualysGuard® Security and Compliance Suite – QualysGuard Web Application Scanning (WAS) 1.0. The new service, delivered on demand, provides automated crawling and testing for custom web applications to identify most vulnerabilities such as those in the OWASP Top 10 and WASC Threat Classification, including SQL Injection and Cross-Site Scripting. Users can manage web applications, launch scans and generate reports using the familiar QualysGuard UI.


QualysGuard WAS Lifecycle

• Lowers total cost of operations by automating repeatable testing processes
• Identifies vulnerabilities of syntax and semantics in custom web applications
• Profiles the target application and performs authenticated crawling and auditing
• Improves accuracy and reduces false positives through profiling of web site
• Scales to scan any number of web applications, internal or external in production or development environments, using the QualysGuard Software-as-a-Service (SaaS) platform

The sophisticated scanning engine features several techniques to effectively crawl a web site.
Given only a user name and password, the crawler automatically identifies an HTML form
login page, profiles the authentication process, and monitors the session state to ensure an
authenticated scan remains authenticated throughout the crawl. The crawler attempts to cover
as much of the target web site’s functionality as possible by balancing the breadth and depth
of the crawl in addition to avoiding redundant or recursive links. Also, the crawler profiles custom
behaviors of the target web site, such as the appearance of default error pages, and uses
the profile information to reduce false positives during the test phase.

The test phase of WAS searches for common vulnerabilities such as SQL injection, crosssite
scripting, source disclosure, and directory traversal. The test engine relies on a mix of
signatures and site profiling to accurately determine the presence of vulnerabilities. The
tests currently focus on fault injection problems and distinguish between exploitable problems
and simple information disclosure whenever possible.

The reporting engine breaks down problems into types of vulnerabilities such as cross-site
scripting or SQL injection for a single web site, and it also generates summary vulnerability
information across groups of web applications. Additionally, QualysGuard WAS introduces
a new mechanism for managing user access to individual web application scans in order to
accommodate different workflows for remediation and testing.

QualysGuard WAS is available as part of the QualysGuard Security and Compliance Suite.
QualysGuard WAS annual subscriptions are licensed by number of Web application(s), include
an unlimited number of WAS scans and 24x7 support and updates.