Building an AppSec Program with Qualys WAS -Introduction and Configuring a Web Application or API: Default Scan Settings

Qualys WAS (Web Application Scanning) tools stand out as The Leading Dynamic Application Security Testing (DAST) solutions in the industry. Since it comes with default scan settings, understanding these settings in detail is critical to uncover vulnerabilities effectively.

Scan performance and coverage are greatly influenced by scanner settings, making it imperative to grasp the intricacies of the settings utilized during web application scans. Configuring a web application in Qualys WAS involves a range of settings, some of which can be overridden when initiating a scan. These settings are established during the web application’s creation and are specific to it.

Additional settings fall under option profiles, which can be shared across different applications or scans. In this blog post, we’ll delve into the default scan settings for web applications, uncovering how they shape your scanning process. 

Exploring Default Scan Settings

Fundamental to our discussion are the ‘Default Scan Settings’ established during application creation. Refer to the accompanying image showcasing the ‘Default Scan Settings‘ tab in the application definition for visual context. 

When considering default scan settings, they encapsulate a predefined set of values that inform the scan settings whenever a scan is initiated for a specific application. While these settings can be adjusted during scan setup for new scans, certain pivotal parameters deserve our attention. 

Key Scan Settings

Option Profile: 

The option profile serves as a scan blueprint, encompassing variables such as the number of URLs in scope, specific tests (QIDs), error thresholds, scan speed, initial parameters, and other scan-specific configurations. Multiple option profiles can be created, each tailored to achieve distinct objectives.

For instance, a specialized option profile could target the Log4j vulnerability, featuring a concise set of tests for expedited scanning, which could be advantageous for quickly assessing multiple applications for very specific vulnerabilities. 

Qualys WAS introduces default option profiles such as ‘Initial WAS Options’ and ‘Authentication Test’ to all new subscriptions. These profiles serve as invaluable starting points for new users, facilitating scan execution without crafting new profiles from scratch. These pre-configured profiles are particularly handy for trial purposes, assisting users in familiarizing themselves with the tool’s capabilities before customizing settings to align with their unique requirements. 

Best Practice Tip: Start with the Initial WAS Options as you begin your AppSec program. 

Scanner Appliance: 

Default scanner appliances can be designated for web applications and automatically selected when initiating new scans or schedules. Scanner appliances come in two flavors: External and Individual. External scanners are our Qualys’ cloud scanner pool, ideal for public-facing web applications, while Individual scanners can be employed to scan internal applications. For internal scans, selecting an appropriate scanner from the available list is essential.   You can also select Individual scanners through our 3^rd option – Tags (Scanner Pool). Using tags facilitates scanner selection for specific applications, ensuring compatibility with network restrictions and optimizing scan efficiency. 

Scan Duration Control: 

Controlling scan duration is facilitated through options such as ‘Do Not Cancel Scan’, ‘Cancel Scan After’, and ‘Cancel Scan At.’ Opting for ‘Do Not Cancel Scan‘ allows full scan runtimes up to 24 hours, while the latter options permit precise scheduling.

For instance, avoiding scans during office hours can be achieved by selecting ‘Cancel Scan At‘ at a specific time. Flexibility extends to per-scan and scan schedule customization, allowing tailored control over scan duration. 

Best Practice Tip! Whenever possible, allow scans to run to completion.   

Progressive Scanning: 

Progressive Scanning introduces a novel dimension by enabling batch-mode scans that gradually expand testing coverage over successive iterations. Each progression leverages insights from prior scans to prioritize new content areas, bolstering overall coverage. The beauty of Progressive Scanning lies in its automatic initiation, pause, and resumption, minimizing manual intervention.

More importantly, Progressive Scanning allows each successive scan to resume where the prior scan left off. This is critical for scanning applications with very small scan windows or large applications that take days to scan. In either case, instead of the scan starting over every time a scan is launched, WAS can resume where the last scan finished. While the default setting promotes progressive testing, per-scan customization remains accessible for tailored results.   

Best Practice Tip! Any time you are scanning a web application or API that has a short scan window, be sure to enable Progressive Scanning. 

Proxy Integration: 

Employing a proxy facilitates scan traffic redirection. A default proxy can be established for an application, simplifying its use during scan initiation or scheduling. Creating proxy records can be achieved through Configuration > Proxies, offering a streamlined approach to integration. The ability to add new proxies ensures adaptable and efficient proxy management. 

At this point, you can click “Next” to be taken to Step 4 in manually configuring your web application and APIs – Additional Configurations. Please join us for our next blog in this series, where we will cover Additional Configurations in detail and provide additional best practices for getting the most out of Qualys WAS.   

Next Article in Series: https://blog.qualys.com/product-tech/2023/12/12/building-an-appsec-program-with-qualys-was-additional-configurations-and-review-confirm