TotalAppSec Release 2.0

April 14, 2025

Qualys TotalAppSec is the definitive solution for unified application risk management. The TotalAppSec 2.0 includes the following features in addition to the web application scanning capabilities.  

Qualys API Security in TotalAppSec

Qualys TotalAppSec (TAS) introduces API scanning with new QIDs, coverage of the OWASP API Top 10, and compliance verification for OpenAPI and Swagger. Qualys API security secures API assets by discovering API endpoints - internal, external, rogue, or shadow, identifying vulnerabilities, ensuring compliance, prioritizing with TruRiskand supports shift-left and shift-right security practices for faster remediation.

Prerequisites

The following application versions are required for the API Security feature: 

  • NextGen WAS Engine 10.1.1 and later
  • Qualys Cloud Platform 3.18.0.0 and later

List of API Assets and Endpoints

The APIs tab under Applications displays the list of APIs in your subscription. You can add new API assets to your subscription by using the New API option. The APIs tab displays the API name, last scanned date, updated date, and tags. The tab displays the vulnerability level of the application with the number of open vulnerabilities and the TruRisk™ score calculated for the APIs, which indicates the API application's vulnerability level.

When you run a vulnerability or compliance scan, unique endpoints are discovered from the swagger file uploaded in the API assets. In the API tab, click Endpoints to view the API endpoints. The API endpoints are defined with the method and path. 

For more information on APIs tab, see Online Help.

Scan API Assets

You can launch a vulnerability scan and compliance scan on API assets using the Quick Actions menu. The compliance scan is available only for API with Swagger API. By default, the system option profile API Compliance Options is used in the compliance scans. 

Default Option Profiles

We have provided two default option profiles with the scan settings and search criteria defined for API scanning – API Initial Options for API vulnerability scans and API Compliance Options for API compliance scans. 

View Detections for API Assets and Endpoints

The Detections tab displays API detections with web application detections.

All the actions available in the Quick Actions menu for web application detections are also available for the API detections. 

 Retesting for API vulnerabilities is available for the vulnerabilities identified through a vulnerability scan and not for vulnerabilities found during a compliance scan.

The Detections tab displays the findings for the selected endpoint ID. 

View Reports 

You can generate application reports and scan reports for API, which are displayed in the Online Reports tab. 

The Download option is currently unavailable for application or scan reports for APIs.  

Knowledge Base Updated with API Security QIDs 

New API QIDs are added and visible on the Knowledge Base data list. OWASP API Top Ten 2023 categories are added, and API QIDs are mapped against these categories.

A new category – API Security is added to the WAS Knowledge Base with the list of API compliance-related QIDs. 

Discovering Potential Web Applications in Cloud Instances using TotalCloud 

With this feature, Web Application Scanning is integrated with TotalCloud. This integration leverages the configurations of the cloud environment to autonomously identify and catalog potential web applications within your subscription. The potential web applications can be added to the subscription and scanned to identify the vulnerabilities. The extended support strengthens your organization's web application security posture. 

You can add the web applications to the WAS subscription and launch a scan to detect vulnerabilities.  

To enable this feature, contact your Technical Account Manager or Qualys Support representative. 

Once the connection with TotalCloud is activated, the Discovery > Sources tab displays AWS connectors available under your subscription. Once the Connector runs scan, WAS retrieves potential web applications discovered on your publicly-exposed Cloud assets. The number of discovered web applications is displayed in the Sources tab. 

You can click the web application number to view the list of potential web applications in the Discovered Web Applications tab.

You can add the discovered web applications to your subscription and perform scans to assess the vulnerabilities. The Web Applications tab displayed these web applications with the prefix Discovered Web Application

Discovering Potential API Assets

With this release, we have introduced the API discovery scan with which potential API assets are discovered from the web applications in your subscription. 

Launch API Discovery Scan on an existing web application from Quick Actions.

Once the API discovery scan completes, the discovered URLs are available in the Discovered APIs tab under Discovery. The Discovered APIs tab displays the number of API endpoints for the discovered URLs.

You can add the discovered APIs to the subscription. The APIs tab displayed these APIs with the prefix Discovered API

When you perform a vulnerability scan or compliance scan, the endpoints for the scanned API is listed in the EndPoints in the APIs tab.

 

Support for Customized Signature

With this release, you can enhance the security testing capabilities by creating customized vulnerability signatures with targeted and automated detection rules addressing your specific security needs.

Custom signatures in Qualys TotalAppSec address key security needs by creating specific signatures for niche technologies and zero-day vulnerabilities. Customized signatures enable intrusive payload tests, modifications of existing checks for unique policies, tailored testing for specific conditions, and automate detection of issues from penetration tests to ensure vulnerabilities are not missed in future scans.

You can create a custom signature by using the New Custom Signature option in the Knowledge Base tab.

New Custom Signature option in Knowledge Base tab.

You can add the custom signatures to the static search list and to the option profile used while performing scans.

For more information on creating custom signatures, refer to TotalAppSec Online Help

 The customized QIDs are available only to your subscription. 

Find Custom Signature with QQL Token

The following token is added to the Knowledge Base tab. 

Tab  Token  Description 
Knowledge Base vulnDef.custom Use the value true to show customized signatures. 

 

This feature is not available by default. To enable this feature, contact your Qualys representative. 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.