Sophisticated web application security programs often require close coordination with application development, quality assurance and production support teams. For many organizations, production support teams create specialized processes to manage test data associated with web application vulnerability scanning. These organizations need tools to ensure that vulnerability scanning injects data with specific signatures or content so that they can identify and delete the data after testing is complete. They typically need multiple different signature sets to support concurrent testing by their different business units. In addition, these organizations need a way to track the execution time of vulnerability scans against previous scans, both because this provides more accurate estimates of scan duration and because it helps quickly identify slower-than-expected application response times. Qualys WAS 3.5 provides organizations with these capabilities to enable a best practices web application scanning program on all their web properties.
Feature highlights include: Support for creating and managing multiple sets of custom form parameters and enhancing the scan progress status information to include time estimate based on previous scan times. Together, these new features enable organizations to support high volume and fully automated web application scanning across their complete web application portfolio.
Qualys WAS 3.5 will be released in production in late July or early August 2014 depending on the platform. Details about the release schedule are at the end of this blog post.
Custom Form Parameters
Qualys WAS is the most powerful web application scanner available. To add to the flexibility of the service, we have added the ability for users to create custom form parameter sets that can be set to override the existing default values used by WAS.The new capability leverages Qualys’ asset tagging to make it easy to configure access to the custom parameter sets for specific users. There are also new user permissions, so that organizations can retain tight control over who creates and modifies the parameter sets. Qualys WAS differentiates itself by allowing an unlimited number of parameter sets to be defined so that large organizations can create and manage as many custom parameter sets as may be needed within their organization.
View a list of custom parameter sets – use the ‘save as’ to make modifications to an existing set
Set the parameter set name and apply tags to define user scope
Define the custom parameters – modify from the defaults
Apply your custom parameter set to the appropriate option profile
Scan Progress Status using Previous Scan Times
Enhanced Scan Progress Status: Qualys WAS previously utilized a scan progress status indication that relies on estimates of times based on profiling of response times and other information gathered during a scan. But many times a more accurate estimate of the scan progress can be provided based on a previous scan.
Scan progress is displayed with remaining time as estimated from previous scans
View the progress against existing scan time – find out when scans are running longer than normal which may indicate slow application response
For details about the release dates for specific platforms and to subscribe to release notifications by email, please see the following: