For a complete web application security program, it’s important that all your web applications have some level of security testing. Automated scans using Qualys Web Application Scanning (WAS) are perfect to meet this need given its cloud-based architecture and ability to scale. However, performing manual penetration testing of your business-critical applications in addition to automated scanning is highly recommended. Manual analysis complements automated scanning by identifying security holes such as flaws in business logic or authorization that an automated scanner would be incapable of detecting.
One of the most popular tools for manual testing of web apps is Burp Suite Professional. This month Qualys introduced a Burp extension for Qualys WAS to easily import Burp-discovered issues into Qualys WAS. With this integration, Burp issues and WAS findings can be viewed centrally, and webappsec teams can perform integrated analysis of data from manual penetration testing and automated web application scans. The combined data set may also be programmatically extracted via the Qualys API for external analysis.