• API Testing with Postman Collections

    This article describes how to set up vulnerability scanning of your API using Qualys WAS with a Postman Collection.  Initial support for Postman Collections in WAS was released in October 2019.   Postman Col...
    Ed Arnold
    last modified by Robert Dell'Immagine
  • API Testing with Swagger 2.0

    The Qualys Web Application Scanning module allows users to scan APIs in addition to traditional web applications.  This article will examine testing an API that adheres to the OpenAPI Specification through the us...
    John Delaroderie
    last modified by John Delaroderie
  • New QID for vulnerability in Telerik UI for ASP.NET AJAX

    A new detection in Qualys WAS has been released to detect an unrestricted file upload vulnerability in Telerik UI for ASP.NET AJAX.  The flaw consists of weakly-encrypted data that is used by RadAsyncUpload. ...
    Dave Ferguson
    last modified by Dave Ferguson
  • Limitation on size of web application reports

    With the recent release of Portal 2.44 - aka Qualys Cloud Platform 2.44 - a change was made to limit the size of web application reports.    A notification will be displayed if you try to create a web appli...
    Dave Ferguson
    last modified by Dave Ferguson
  • Progressive Scanning Explained

    Progressive scanning is a feature within Qualys Web Application Scanning (WAS) that is now available to all customers. The intent and goal of progressive scanning is to add a mechanism to effectively scan very large w...
    Dave Ferguson
    last modified by Dave Ferguson
  • WAS Scan Optimization

    When performing Web Application Scanning with Qualys WAS, you may experience long scan times or a Time Limit Reached status triggered by QID 150024 - Scan Time Limit Reached. To improve scan times in those situations,...
    Ed Arnold
    last modified by Ed Arnold
  • Web Application Scanning - Controlling Links Crawled with Explicit URLs, Redundant Links, Black Lists, and White Lists

    Qualys WAS offers many options to control what URLs are crawled and tested during a Web Application Scan.  However, customers can potentially misconfigure their web application configuration and end up scanning U...
    John Delaroderie
    last modified by John Delaroderie
  • WAS Engine 7.6 Released

    Greetings!  This is to announce that WAS Engine 7.6 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WAS sc...
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys WAS Plugin for Bamboo

    We are pleased to announce that a Qualys WAS plugin for Bamboo is now available.  Bamboo by Atlassian is a popular commercial CI/CD tool.  Just like our WAS plugin for Jenkins, the plugin for Bamboo allows D...
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys WAS Plugin for TeamCity

    We are pleased to announce that a Qualys WAS plugin for TeamCity is now available.  TeamCity by JetBrains is a popular commercial CI/CD tool.  Just like our WAS plugin for Jenkins, the plugin for TeamCity al...
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys WAS Plugin for Jenkins

    The Qualys WAS plugin for Jenkins empowers DevOps teams to build application vulnerability scans into their CI/CD processes. By integrating and automating scans in this manner, application security testing is accompli...
    Dave Ferguson
    last modified by Dave Ferguson
  • WAS Engine 7.5 Released

    Greetings!  This is to let you know that WAS Engine 7.5 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WA...
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys WAS Update - Portal 2.43

    Greetings! A new version of Qualys WAS has been released.  It is part of Portal 2.43 - aka Qualys Cloud Platform 2.43 - and is being deployed to all Qualys shared platforms over the next few days.  This re...
    Dave Ferguson
    last modified by Dave Ferguson
  • New QID 150273 Published to Detect Citrix ADC RCE

    Hello all - Qualys WAS has published a new QID 150273 to detect the vulnerability in Citrix Controller and Gateway products.  Please refer to the details about the vulnerability and Qualys detection's at :&#...
    Sheela Sarva
    last modified by Sheela Sarva
  • How to create a WAS-only user

    This article describes how to create a "WAS-only" user with no capabilities in other Qualys modules or products.  This is for the purpose of maintaining least privileges and is typical for developers or QA person...
    Parag Baxi
    last modified by Dave Ferguson
  • Customizing the "Core" Detection Scope

    Some customers have asked how to customize the default "Core" detection scope in WAS (e.g., remove certain QIDs or add others).  This would be accomplished using the "Custom Search Lists" scope as follows.  ...
    Dave Ferguson
    last modified by Dave Ferguson
  • WAS Engine 7.4 Released

    Greetings!  To wrap up 2019, we have released WAS Engine 7.4 to all Qualys platforms including private cloud platforms.  This is part of our ongoing effort to continuously improve the WAS scanning engine. &#...
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys WAS and OWASP Top 10 2017 Coverage

    This PDF document explains how Qualys WAS provides testing coverage for the OWASP Top 10 2017 edition.
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys WAS Update - Portal 2.42

    Greetings all -   A new version of Qualys WAS was recently released.  It is part of Portal 2.42 - aka Qualys Cloud Platform 2.42 release - and it has been deployed to all Qualys shared platforms.  This...
    Dave Ferguson
    last modified by Dave Ferguson
  • New Detections Rolling Out for Vulnerable CMSs and CMS Plugins

    In a previous post, we described how Qualys WAS added new informational QIDs to report CMS versions and CMS plugins found on your scanned web applications.  Now, as part of the continuous improvement of the scann...
    Dave Ferguson
    last modified by Dave Ferguson