API Security in Web Application Scanning

Limited Customer Release 

May 22, 2024


Web Application Scanning (WAS) can scan REST APIs, allowing users to upload Swagger/Postman collections or Burp proxy captures to the web application. However, as APIs are represented as web applications in WAS, the API scanning capacity was not clearly communicated. 

With this release, we are introducing a dedicated API scanning feature. The new API scanning feature enhances WAS with new QIDs, coverage of the OWASP API Top 10, and compliance verification tools for OpenAPI or Swagger. 


The following application versions are required for the API Security feature: 

  • Web Application Scanning
  • NextGen WAS Engine 10.1.1
  • Qualys Cloud Platform

Changes in User Interface

New Tab – APIs

The APIs tab is added under Applications to display the list of APIs in your subscription. The APIs tab displays the API name, last scanned date, updated date, and tags. The tab displays the vulnerability level of the application with the number of open vulnerabilities and the TruRisk™ score calculated for the APIs, which indicates the API application's vulnerability level.

You can perform the following actions on the APIs in the list using the Quick Actions menu:

  • View and edit API records
  • View vulnerability report
  • Launch vulnerability and compliance scan
  • Add and remove tags
  • Add comment
  • Purge or remove API asset 
  • Clone existing API records using the Save As option

For more information on APIs tab, see View your APIs.


You can launch a vulnerability and compliance scan for APIs from the Scans tab. The compliance scan is available only for API with Swagger API. 

For the compliance scan, you must create a new option profile named Api Compliance Option Profile

For details on how to launch a compliance scan, refer to Launch Compliance Scan.

 Currently, scheduling of API scans is not supported. 


The Detections tab displays API detections with web application detections.

All the actions available in the Quick Actions menu for web application detections are also available for the API detections. 

 Retesting for API vulnerabilities is available for the vulnerabilities identified through a vulnerability scan and not for vulnerabilities found during a compliance scan.

Online Reports

You can generate application reports and scan reports for API, which are displayed in the Online Reports tab.

 Currently, the Download button is unavailable for application or scan reports for APIs.  


New API QIDs are added and visible on the KnowledgeBase data list. OWASP API Top Ten 2023 categories are added, and API QIDs are mapped against these categories.

A new category – API Security is added to the WAS KnowledgeBase with the list of API compliance-related QIDs. 

Token Changes 

New Tokens

The following new tokens are added for the APIs

Tab  Token Name Description
Detections  vulnerability.owaspApiTopTen.id Use an integer value to find detections with the given OWASP API Top Ten 2023 category ID.
vulnerability.owaspApiTopTen.name Use a text value to find scans with detections with the given OWASP API top ten 2023 category name.
Scans scan.findings.owaspApiTopTen.id Use an integer to find scans with detections with the given OWASP API top ten 2023 category ID.
scan.findings.owaspApiTopTen.name Use a text value to find scans with detections with the given OWASP API top ten 2023 category name.
KnowledgeBase vulnDef.owaspApiTopTen.id Use an integer value to search QIDs the given OWASP API top ten 2023 category ID.
vulnDef.owaspApiTopTen.name Use values within quotes or backticks to search QIDs with the given OWASP API top ten 2023 category name.

Updated Tokens

The following token is modified.

Tab  Token Name Description 
Scans scan.type A new value—COMPLIANCE is added to find the compliance scan from the list of scans.