Web Application Scanning

Web Application Scanning

 

Find, fix security holes in web apps, APIs.

 

Robust cloud solution for continuous web app discovery and detection of vulnerabilities and misconfigurations

 

“We found Qualys ideal for our need to assess thousands of websites with limited resources.”

Infrastructure Security Team
Manager at Microsoft

 

Highlights

 

Comprehensive discovery

WAS finds and catalogs all web apps in your network, including new and unknown ones, and scales from a handful of apps to thousands. With Qualys WAS, you can tag your applications with your own labels and then use those labels to control reporting and limit access to scan data.

 

Deep scanning

WAS’ dynamic deep scanning covers all apps on your perimeter, in your internal environment and under active development, and even APIs that support your mobile devices. It also covers public cloud instances, and gives you instant visibility of vulnerabilities like SQLi and XSS. Authenticated, complex and progressive scans are supported. With programmatic scanning of SOAP and REST API services, WAS tests IoT services and APIs used by mobile apps and modern mobile architectures.

 

DevSecOps tool

 

WAS can insert security into application development and deployment in DevSecOps environments. With WAS, you detect code security issues early and often, test for quality assurance and generate comprehensive reports. With its tight Qualys WAF integration, WAS continuously monitors and virtually patches production apps.

 

Malware detection

 

WAS scans an organization’s websites, and identifies and reports infections, including zero-day threats via behavioral analysis. Detailed malware infection reports accompany infected code for remediation. A central dashboard displays scan activity, infected pages and malware infection trends, and lets users initiate actions directly from its interface. Malware detection functionality is provided via an optional add-on.

 

Find and catalog all your web apps

 

Web apps, often plagued by vulnerabilities and misconfigurations due to poor coding and faulty hardening policies, can be put on your network by almost anyone. Large organizations have hundreds, even thousands of apps. Qualys WAS gives you visibility and control by finding official and “unofficial” apps throughout your environment, and letting you categorize them.

 

• Find approved and unapproved web apps in your network with continuous, comprehensive application discovery and cataloging
• Organize your data and reports using your own labels with customizable web app asset tagging

 

Perform deep, exhaustive application scans at scale

 

Unsafe web applications offer hackers an attractive attack surface and convenient entry point into your IT environment. When breached, web apps can expose massive amounts of confidential business data. Qualys WAS protects you with incisive, thorough, precise scans, scaling up to thousands of web apps and with few false positives.

 

• Secure very large web apps with progressive scanning, which lets you scan in incremental stages and bypass restrictions preventing you from scanning an entire app in one scan window
• Detect OWASP Top 10 risks such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF) and unvalidated redirection
• Test IoT services and mobile apps as well as API-based business-to-business connectors, with Qualys WAS’ SOAP and REST API scanning capabilities
• Achieve maximum scan coverage with authenticated scanning, including advanced scripting using Selenium, the open source browser automation system for web app testing
• Set scans’ exact start time and duration with powerful scheduling features
• Perform scans more efficiently — less idle time and greater coverage — with multi-site scanning and automatic load-balancing of multiple application scans across a pool of scanner appliances
• Identify and report malware present in your websites and apps — including the type that eludes anti-virus software, which Qualys WAS’ malware detection module flags using behavioral analysis — and trigger alerts
• Consolidate web app vulnerability data from manual penetration testing solutions and Qualys automated scans to get a complete view of your web app security posture
• Prioritize remediation and focus on the most critical flaws

Visualize and document your web app security status with actionable data

 

Qualys offers unparallelled web app security with the seamless integration of Qualys WAS and Qualys Web Application Firewall (WAF), which gives you one-click patching of web apps, including mobile apps and IoT services.

 

• Take your results from data to insights to action in minutes by performing powerful analyses of your scans across many applications at once
• Tailor how the results are presented to different audiences with customized report templates
• Get a comprehensive view of scans, reports and vulnerabilities on a single screen with Qualys WAS’ central dashboard
• Boost agile, continuous app development and deployment in DevSecOps environments by catching code and configuration errors early and often, while iteratively building, testing and launching software

 

 

Rapidly harden web apps with integrated WAF

 

As organizations retool and expand the reach of their web apps to pursue digital transformation innovations, Qualys WAS’ interactive reporting capabilities give you the big picture of your web app security posture and let you drill down into details.

 

• From a single console, you can detect application vulnerabilities with WAS, and rapidly protect them from attack with WAF, for true, integrated web application security
• Avoid the redundancies and gaps that come with trying to glue together separate, siloed solutions, as the Qualys Cloud Platform keeps everything in sync
• Integrate web app scan data via a rich, extensive set of APIs into other security and compliance systems, such as firewalls, and SIEM and ERM solutions

 

Powered by the Qualys Cloud Platform

 

Single-pane-of-glass UI

See the results in one place, in seconds. With AssetView, security and compliance pros and managers get a complete and continuously updated view of all of their IT assets — from a single dashboard interface. Its fully customizable and lets you see the big picture, drill down into details, and generate reports for teammates and auditors. Its intuitive and easy-to-build dynamic dashboards aggregate and correlate all of your IT security and compliance data in one place from all the various Qualys Cloud Apps. With its powerful elastic search clusters, you can now search for any asset – on-premises, endpoints and all clouds – with 2-second visibility.

 

Centralized & customized

Centralize discovery of host assets for multiple types of assessments. Organize host asset groups to match the structure of your business. Keep security data private with our end-to-end encryption & strong access controls. You can centrally manage users’ access to their Qualys accounts through your enterprise single sign-on (SSO). Qualys supports SAML 2.0-based identity service providers.

 

Easy deployment

Deploy from a public or private cloud — fully managed by Qualys. With Qualys, there are no servers to provision, no software to install, and no databases to maintain. You always have the latest Qualys features available through your browser, without setting up special client software or VPN connections.

 

Scalable and extensible

Scale up globally, on demand. Integrate with other systems via extensible XML-based APIs. You can use Qualys with a broad range of security and compliance systems, such as GRC, ticketing systems, SIEM, ERM, and IDS.