As a follow-up to our recent major release WAS 4.3, we have added a few new features, tweaks and clarifications in WAS 4.4 to allow further customizations of scans. Customers can also now receive clearer and enhanced feedback on the behavior and coverage of their scans. This will also allow customers to continue to deliver targeted web application security metrics to all the stakeholders while ensuring a successful web application security program meets the protection of all organizational demands.
Feature highlights include:
- Report Templates – We have added a run action in preview button
- We have removed non-expiring reports for the WAS purge feature
- We now publish information on the user who canceled a scan
- Clarification and support for server error thresholds before stopping a scan
- WAS Scan Emails – Include Qualys username in the recipients email
Report Templates – We have added a run action in preview button
The report template datalist provides a quick run action, which allows users to run a report using this template. This would be the most logical action for this object, but this action was somewhat hidden as you needed to open the Actions menu to see this. Therefore, we have made the report template run action more visible to the user, so that they can more easily and visibly launch reports.
We have removed non-expiring reports for the WAS purge feature
With a previous reporting feature released with WAS 3.0 we allowed users to create reports of their web applications before they deleted or purged them.
These particular reports were unique, whereas all other reports generated in the application expired after a specific number of days. The reports however, did not. This logic was to allow users to keep a history of all their web applications. This led to unwanted and excessive data storage.
Web Application Purge Confirmation Dialog
The purge confirmation dialog has been updated to add a note that the report to be generated will expire in a specific number of days; the number being defined by the customer’s WAS module setting Report Life Time. Please note, by default this is set to 7 days.
The generation of the report remains the same. The only change is that reports are no longer marked as non-expiring. A look at the preview panel confirms that the report will indeed expire.
Web Application Delete Confirmation Dialog
The same changes apply for this dialog, where the layout has been updated to better distinguish the sections. Also a note has been added to notify users that the report to be generated will expire.
Existing Non-Expiring Reports
This feature will impact existing reports that do not expire, by updating their status to make them expire 30 days after the release of this feature in production.
To make sure that all users may see this information, a notification will be added for 30 days after the release to explain that the reports that did not have an expiration date will now expire in 30 days, and that users should make sure to download them if they wish to keep them.
We now publish information on the user who canceled a scan
When a scan is canceled, we previously displayed the status as canceled and we only provided in the action log, the information on who canceled the scan. But we did not display this information when viewing the scan information in main scan dialog panel. This has now been changed to reflect the user who canceled the scan.
Clarification and support for server error thresholds before stopping a scan
Web applications can return different kinds of server side error or error indicators during a WAS scan. Some of these are a sign of the server possibly getting overloaded (or unresponsive) due to the scan behavior or an alternate condition.
Customers have had different expectations about how our WAS engine should react to these server errors. Our clients have asked us to provide better controls on whether to stop scan on such errors and customize a threshold for such conditions. Now, two new options are now provided to the end user:
- Stop on timeout errors more than 20 (customizable)
- Stop on unexpected errors more than 48 (customizable)
WAS Scan Emails – Include Qualys username in the recipients email
When sending WAS scan emails, we now show each recipient’s name and username from their Qualys account, depending on if this data can be extracted.
When sending a scan completion email, the list of recipients will be updated to display along with the email address, the account name, using format
email address <account name>
The account name value will depend on if one or more accounts are found for the same email address:
If only one account is found, the account name will be "user first name, user last name, username".
Ex: John Doe (quays_jd01)
If more than one account is found for an email address, the account name value will consist of just the username of the accounts, separated by comma.