Qualys Blog


Web Application Security: Q&A with Will Bechtel

Web application vulnerabilities, when not patched or mitigated, continue to pose significant risk to enterprise apps and data. Just prior to the Qualys Security Conference 2014 in Las Vegas, I reached out to Will Bechtel, director of product management for Qualys Web Application Scanning (WAS) to discuss web application security trends and get a few highlights on Qualys’ web application security strategies that will be discussed during the show.

George: Will, can you give us an overview on some of the web application security developments that will be discussed at the show?

Will: Sure. At a high level, we are working to more closely integrate the capabilities of our detection solutions, including Qualys WAS (Web Application Scanning) and VM (Vulnerability Management) with the protection capabilities of the Qualys WAF (Web Application Firewall), as well as the information flowing between the two. Typically, there is a lot of integration potential between Web application vulnerabillity data that can then be fed into the WAF to protect against specific attacks.  However, typically, not a lot of information flow from the WAF can be passed back into a web application scanner to improve its ability to discover new vulnerabilities.

There are a couple of advantages to passing this information from the WAF to WAS. One is visibility into different users with different levels of application access. For instance, when you have different users with different levels of authentication access, and the vulnerability scanner is given a lower authentication level, you may not be seeing certain areas of the site. Now, we have the potential to bring visibility to other areas of the site that a user with a different authentication level may have access to. This would give the users running the scan an indication that they are missing parts of the site in their assessment that they didn’t know they were missing before.

Another area where we are increasing visibility is into API (Application Programming Interface) calls. Web applications are more and more reliant on API calls such as REST and simple API implementations. But there also are things like JSON that are effectively APIs but are called by JavaScript interfaces like AJAX. They heavily interface with AJAX and currently there is no way to understand what the calls are and what the proper parameters are to send except by observing a web application.

So, it’s all dynamically built in JavaScript. When you watch the traffic using Qualys WAF, you can determine what the calls are and the proper parameters that you can then pass back to the web application scanner. As a result, the web application scanner should have more successful scans.

These are areas that are big and we think this integration is really going to help people get visibility, as well as provide the ability to effectively scan these newer technologies that are starting to be more widely used in web applications.

George: Do you have an example of how these, or other, new features are being used by customers to solve real security challenges they face?

Will: We’re working on some other neat things with customers that were seen as a big problem. One is discovery. You probably remember that Qualys WAS has the ability to take data from Qualys VM about hosts that have been scanned and services that are running on those hosts. We can take advantage of what our customers already know, which is that they have certain hosts that are running these web servers, and that gives us the ability to help them identify where they need to be scanning. That’s a nice capability.

But there is still an important problem. The challenge we find is the way web servers work. People don’t request them by IP address. They request them by a DNS name like www.qualys.com. And because www.qualys.com can be pointed to one IP one day and a different IP the next day, it becomes problematic to depend on IPs to conduct assessments.

Another issue here is with virtual servers. With virtual servers you have one IP as one physical server, but it may respond to a hundred different DNS names and it actually routes the request based on which site a user is requesting. What this means is that you may have a web app that says home.google.com and another that says visitor.google.com, and they could be hosted on the same physical IP address. But the web server on the back end will route the request depending on which is the right application.

Just knowing that there is an HTTP server listening on these hosts doesn’t give them the information they need. What they need to know is what the DNS names are. What we’re finding for our large clients is that they have very little insight into what’s coming new onto their network. They have different business units and marketing groups and so on that are bringing up sites for two or three weeks and then dropping them based on business needs. And they don’t have a good way to be able to identify that these things are now out there.

George: Interesting, how will this work in practice?

Will: What will happen is that the users will have this HTTP server that they know about from scanning with VM. But people in the company are bringing up and down these virtual websites that will respond differently based on the DNS name. What we’re working on with customers, and I think this is going to be very helpful for people going forward, is to peek into their DNS and look at their names – what new names are coming up – and capture the mapping from the server name to the IP address.

That then allows them to go look at their VM results, identify new web systems, and have the option to create a new web application that’s going to be unique to that DNS name. It might share an IP address with many others, but it’s going to be a unique web application that should be scanned separately.

That’s is an area that large customers are working with us to try to solve for them.

George: Last year Continuous Monitoring was a significant theme; how will that theme continue when it comes to web application security?

Will: We’ll be looking at two things there. One is expanding continuous monitoring outside of Qualys VM to include things like noticing new web apps, as we just discussed, as well as noticing the changes to those web apps. When we notice changes, we can share that information with the WAS and WAF. We will notice, for example, that in the previous scan we identified 300 pages, but in the new scan we identified 400.

When something significant like that changes in a customer site, we can notify them. These alerting capabilities tie into our log management abilities, which should be available next year. The first ability there will be to log web application traffic with Qualys WAS, and that provides another opportunity to monitor and alert based on things seen within the logging.

If the customer doesn’t have a WAF, we could discover interesting events from within that customer’s logs and alert them based on that information.

These are areas where we see this integration between the various tools helping to give customers better insight, better coverage, and better ability to detect issues and protect their websites.

Leave a Reply