Qualys WAS is an automated scanner that uses fault injection tests to find vulnerabilities. It inserts specially crafted character strings into your application form fields. WAS then examines the responses from your web application to determine the existence of vulnerability. You can see what is sent and how your application responded in WAS’s reporting capabilities. Qualys WAS enables organizations to scan their web applications for vulnerabilities. It assess, track and remediate web application vulnerabilities.
You should use WAS in conjunction with manual penetration testing tools. With the manual testing of your application, you can test some of the functionality and business logic that WAS cannot test.
With WAS, you'll quickly be able to identify web applications vulnerabilities and manage security risks.
First you need to define your web application. It is very important that you do this correctly, as your subscription is based on the number of web applications.
Go to Web Applications, click New Web App > Add New. Learn More
Note - To run internal scans you'll need to configure a scanner appliance within your network - a physical or virtual appliance. Learn more
It's best to do a discovery scan first - go to Scans > Scan List and select New Scan > Discovery Scan.
A discovery scan performs information gathered checks only (forms detected, external links found, and so on). This is a good way to learn where the scan will go and whether there are URIs that you should add to the allow list for a vulnerability scan. Learn moreLearn more
With a discovery scan:
- No vulnerability checks are performed.
- WAS perform information gathered checks (QIDs) and report the findings in your scan results if included in your scan settings. (These QIDs must be selected in the detection scope of your option profile.)
- We'll perform these checks and report the findings in your scan results if included in your scan settings. (These checks must be selected in the detection scope of your option profile.)
View the discovery scan report when your scan is finished. Go to Scans > Scan List, select your scan and choose View Report from the Quick Actions menu. Scroll down to Results, then Information Gathered and drill down to see detection details. Be sure to check out these QIDs (Qualys IDs): 150009 Links Crawled and 150021 Scan Diagnostics.
We'll perform vulnerability assessment of your web application. Just go to Scans > Scan List and select New Scan > Vulnerability Scan. You can launch a scan now or schedule it for later. Learn more
When your scan is finished, be sure to view the vulnerability scan report. Go to Scans > Scan List, select your scan and choose View Report from the Quick Actions menu. Scroll down to Results, and drill down to the detection details under Vulnerabilities, Information Gathered and Sensitive Contents (if any).
Your dashboard shows the current security status of your web applications based on the latest scan results.
There are several reports available. Just go to Reports, select New Report and select a report type - Web Application Report, Scan Report, Scorecard Report, Catalog Report. We support templates for report customization. Learn more
Dashboards help you visualize your assets, see your threat exposure, leverage saved searches, and fix priority of vulnerabilities quickly.
We have integrated Unified Dashboard (UD) with WAS. UD brings information from all Qualys applications into a single place for visualization. UD provides a powerful new dashboarding framework along with platform service that will be consumed and used by all other products to enhance the existing dashboard capabilities.
You can use the default dashboard provided by Qualys or easily configure widgets to pull information from other modules/applications and add them to your dashboard. You can also add as many dashboards as you like to customize your vulnerability posture view.