It is no surprise that web application attacks are the highest frequency breach incident classification based on the findings in the 2014 Verizon Data Breach Investigation Report (DBIR). This information just confirms what most organizations are already seeing – that there has been a dramatic increase in the number and scope of web application attacks against web properties that are the critical revenue generating assets of the business. To combat the increase in the intensity of attacks, organizations need to improve their ability to identify web application vulnerabilities before they can be exploited. Organizations need a way to easily and cost effectively discover and scan all the web application in their environments so they can find and fix security vulnerabilities before they cause legal and financial impact. Organizations need automated and scalable tools that improve the coverage and flexibility of web application vulnerability scanning, while adding more powerful reporting features to ensure that the right stakeholders receive the targeted metrics they need to ensure the vulnerability scanning program is efficient and effective. Qualys WAS 4.0 provides organizations with the increased scan coverage and enhanced reporting capabilities organizations need to keep their web applications hardened against attack and protected against business disruptions.
Feature highlights include: Progressive scanning to enhance vulnerability testing coverage and provide automated test continuation from scan to scan, enhancing scan results and enabling more flexibility in scheduling scans that will ease the burden on understaffed IT Security teams. The new Reporting Templates will also enable organization to deliver targeted application security metrics to each stakeholder in the program, whether it is an executive who needs a high level overview of the program, or a developer that needs vulnerability details for one web app he is responsible for. Additional enhancements to exclude tagged applications and randomize MultiScan also gives organizations better options to manage the impact of scalable scanning on their environments.
Qualys WAS 4.0 will be released in production in Mid-December 2014 with the exact date depending on the platform. Details about the release schedule are at the end of this blog post.
Increase coverage and schedule flexibility with Progressive Scanning: Qualys WAS 4.0 introduces Progressive Scanning to improve testing coverage and scheduling flexibility. Progressive scanning combines two new capabilities: Progressive Crawling that expands the testing coverage for web applications over time. Each scan builds upon the information obtain in previous scans, prioritizing new content areas to expand coverage. Progressive Testing that enhances the flexibility of scanning by automatically starting, stopping and resuming scans across your networks without manual intervention. The best thing about Progressive Scanning is that it is all automatic. Users don’t have to do anything – it will be enabled by default for subscriptions that utilize this feature. Progressive scanning is a limited availability feature, so if you are interested in becoming an early adopter, please contact your TAM or email@example.com
Progressive Scanning – Enabled by default for enrolled subscriptions
MultiScan – Exclude tags from the scan for greater targeting flexibility: This feature enables users to exclude certain tagged web applications from scanning. For example you may have situations where you have a set of tagged web apps that you want to scan regularly, but each week there may be some web apps that you do not want to scan – just that week. Now you can easily exclude certain web apps by selecting tags instead of taking other more complicated steps, making it easier to target just the applications you want.
MultiScan Exclude Tags
Multi-Scan – Randomize the ordering of scans to improve performance: By selecting the “Randomize scan” option we’ll scan the selected web applications in random order. This helps to avoid network slowdowns/errors triggered by scanning too many web apps hosted on the same infrastructure at the same time.
MultiScan Randomize Scan Order
Simplify scanning with enhanced dynamic search lists: It’s easier to define dynamic search lists using the search list wizard. The layout of the search criteria section makes it easier to select the various criteria used to select vulnerabilities. At least one of the criteria must be selected in order to save the list.
Enhanced Dynamic Search Lists
Easily identify QIDs that require Form authentication: You’ll see Form for Authentication Method when the QID requires Form authentication in order for it to be detected. For example, for QID 150071 we require Form authentication. This will save you time when you need to target those vulnerabilities that are specific to form authenticated sites.
Target Application Security Stakeholders with new Report Templates: For Qualys WAS 4.0 we’ve added customizable report templates. Now you can create reports with the specific information you’re interested in, and it’s easy to deliver the right information to any application stakeholder, whether it is an executive who needs a high level overview of the program, or a developer that needs vulnerability details for one web app he is responsible for. And with Tags, you can scope specific templates to organizational units within your organization, providing even more granularity to bring more consistency to your web application scanning program.
Gain Better Context with New Severity Levels Appendix: The new Severity Levels appendix tells you what the severity levels mean. You’ll see this appendix in your Scan and Web Application Reports by default. Want to remove it? It’s easy, just create a custom report template, remove display option Appendix Severity Levels, and run the template.
Report Severity Levels Appendix
Easily identify Information Gathered results: The results section now clearly identifies Information Gathered detections in a group with this name.
Information Gathered (IG) results
Web Application Enhancements
Web Apps List – Save time with more last scan status filters: New filters give you more ways to manage web applications. For example you might want to remove web applications if the last scan status is No Host Alive or No Web Service. If the status is Time Limit Exceeded you might want to review the web application performance or change the web application settings to limit the scope of scanning.
Web App Last Scan Filter
For details about the release dates for specific platforms and to subscribe to release notifications by email, please see the following: