QualysGuard WAS 3.2 provides improved control over how and when scans are performed and boosts the efficiency of developers in diagnosing issues with their web applications.
Feature highlights include: A granular scan progress display, specific scan cancel time, binary file exclusions and many usability enhancements.
QualysGuard WAS 3.2 will be released in production in mid-February. Details about the release schedule are at the end of this blog post.
Track Scan Progress: Track the current status of a scan in progress in the scan view window. The new Scan Progress section shows you the current progress of your scan and the scan start time. This provides users with positive confirmation that the scan is progressing and the web application is continuing to respond during testing. The Stats section tells you the number of links collected, crawled and the number of requests performed.
Define a Default Option Profile for Your Subscription: Now you can make any option profile the default for your subscription. This option profile will be selected automatically each time you launch a scan, unless a different option profile is defined for the target web application. This makes it easy to make sure by default users will use an appropriate option profile that is best for your organization. Setting the default is available only to users with full scope and permissions.
Ignore Common Binary Files Based on File Extension: We’ve added an option profile setting called “Ignore common binary files based on file extensions.” This can dramatically reduce the amount of time needed to scan a web application that contains many of these types of files. When enabled, scans will ignore files with these extensions: .pdf, .zip and .doc. This setting will be turnedon by default when you create new option profiles.
Cancel a Scan at a Precise Time: Previously, when launching or scheduling a scan you could only choose to cancel the scan after a certain number of hours. With this release, you can choose to cancel the scan at a precise time in scan settings under Cancel scan. This enables you to be sure you stop a scan before the end of a defined scan window without worrying about when the scan starts.
Export Vulnerability Payload Response in HTML: Now you can provide more details to developers for vulnerabilties identified in scanning. You can view vulnerability detections in a few spots –in web application reports, in scan reports, and under Web Applications > Detections.In the vulnerability details, you’ll notice a new Export icon in the payload responsesection. Click this icon to export the payload response.
This export option is also available for the Information Gathered results in your scan reports and web application reports.
When results exceed 5000 characters they will be truncated to ensure good browser performance. You have the option to export the full contents ofthe report.
Move a Report to a New Browser Window: This makes it easy to do side-by-side comparisons, saving time. It also increases the number of reports you can have open at one time. Go to Reports and create a report. Click New window to move the report to a new browser window.
You can edit and download your report in the new window just as you would within the UI.
Select Timezone Used for Dates in Report: Dates in reports default to the timeszone set in the user’s account settings. When you download a report, you now have the option to select a timezone we’ll use to display all dates in your saved report. In the previous release, all dates in saved reports appeared in GMT.
Web Application Enhancements
Use Save As to Create a New Web Application: Save time by creating a new web application based on an existing one, then edit the settings as needed. Go to Web Applications > Web Applications, hover over a web application and choose Save As from the menu.
Move a Sitemap to a New Browser Window: You can keep your sitemap open in a separate browser window while working in the WAS UI. All the functionality of the sitemap remains available in the new window. Go to Web Applications > Web Applications, hover over a web application and choose View Sitemap from the menu. Click the red outlined icon in the upper right corner to move the sitemap to a new window.
Server Authentication Record – Realm not required: The Realm field is no longer required when configuring a basic server authentication record.
Improved Usability of Datalists
When the total number of records exceeds the number of records per page, click to select the range of records you want to display. You’ll notice that the currently displayed range is highlighted.
Improved Actions Menu
You’ll notice the Actions menu now displays the number of items you’ve selected for the action.
New Sort By Options
The settings menu now provides several options under Sort By.
Online Help Improvements:
When you select Help > Online help, we’ll display help specific to your current location in the UI. For example, if you’re working with scans, the help will appear as shown.
You’ll also notice a new Launch Help link in the title bar of each wizard. Click this link to view help related to your current workflow. For example when launching a scan click this link to view scan related help.
CVSS Scoring Updates for Cross-Site Scripting (XSS) QIDs
Enhanced Scoring Consistency
To bring additional consistency in CVSS base scoring for similar Cross-Site Scripting Vulnerabilities which will enable better risk calculation by users, QualysGuard WAS will adjust the current CVSS scoring for the QIDs below. The new CVSS score of 4.3 is based on a median score calculation identifed by analysis of existing vulnerability scores.
QIDs updated to CVSS base score of 4.3
For details about the release dates for specific platforms and to subscribe to release notifications by email, please see the following: