• How to create a WAS-only user

    This article describes how to create a "WAS-only" user with no capabilities in other Qualys modules or products.  This is for the purpose of maintaining least privileges and is typical for developers or QA person...
    Parag Baxi
    last modified by Dave Ferguson
  • Customizing the "Core" Detection Scope

    Some customers have asked how to customize the default "Core" detection scope in WAS (e.g., remove certain QIDs or add others).  This would be accomplished using the "Custom Search Lists" scope as follows.  ...
    Dave Ferguson
    last modified by Dave Ferguson
  • WAS Engine 7.4 Released

    Greetings!  To wrap up 2019, we have released WAS Engine 7.4 to all Qualys platforms including private cloud platforms.  This is part of our ongoing effort to continuously improve the WAS scanning engine. &#...
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys WAS and OWASP Top 10 2017 Coverage

    This PDF document explains how Qualys WAS provides testing coverage for the OWASP Top 10 2017 edition.
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys WAS Update - Portal 2.42

    Greetings all -   A new version of Qualys WAS was recently released.  It is part of Portal 2.42 - aka Qualys Cloud Platform 2.42 release - and it has been deployed to all Qualys shared platforms.  This...
    Dave Ferguson
    last modified by Dave Ferguson
  • New Detections Rolling Out for Vulnerable CMSs and CMS Plugins

    In a previous post, we described how Qualys WAS added new informational QIDs to report CMS versions and CMS plugins found on your scanned web applications.  Now, as part of the continuous improvement of the scann...
    Dave Ferguson
    last modified by Dave Ferguson
  • Web Shell Detection in WAS

    Recently, the WAS scan engine began testing for the presence of known web shells via QID 150239.  This QID is included in Core detection scope.  If a web shell is found, it means the scanned application has ...
    Dave Ferguson
    last modified by Robert Dell'Immagine
  • WAS Engine 7.3 Released

    Greetings!   WAS Engine 7.3 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WAS scanning engine.  Th...
    Dave Ferguson
    last modified by Dave Ferguson
  • About "No Web Service" status

    As a user of Qualys WAS, you may occasionally see a scan end with "No Web Service" status.  It occurs more commonly when scanning an internal web application using a scanner appliance.  This status typically...
    Dave Ferguson
    last modified by Dave Ferguson
  • Jenkins Plugin for Qualys WAS

    The Jenkins plugin for Qualys WAS empowers DevOps teams to build application vulnerability scans into their CI/CD processes. By integrating and automating scans in this manner, application security testing is accompli...
    Dave Ferguson
    last modified by Dave Ferguson
  • Handling SSO in Qualys WAS

    A common authentication mechanism used by web applications is single sign-on (SSO).  This introduces complexity and can cause some confusion when it comes to authenticating and scanning with Qualys WAS.  ...
    Dave Ferguson
    last modified by Dave Ferguson
  • Update to Qualys WAS Burp extension

    In case you missed it, a new version of the Qualys WAS Burp extension has been released.  You can now import a WAS finding into Burp Repeater to validate the finding.   Details are here - https://blog.qualy...
    Dave Ferguson
    last modified by Dave Ferguson
  • Progressive Scanning: How to know when the entire application has been scanned

    When using the progressive scanning feature in Qualys WAS, you may not be able to tell from the scan list if your web application has been completely scanned or not. You will see the progressive scan count increase ev...
    Ian Johnson
    last modified by Robert Dell'Immagine
  • WAS Engine 7.2 Released

    Greetings!   WAS Engine 7.2 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WAS scanning engine.  Th...
    Dave Ferguson
    last modified by Dave Ferguson
  • How to create an Exception from a security event

    Exceptions are made for managing false-positive or false-negative events. The addition of the Exception subsystem into the Qualys WAF service provides significant flexibility in service management and security policy...
    Steve McBride
    last modified by Rémi Le Mer
  • How to create and deploy a Virtual Patch

    Virtual Patches are meant for protecting unitary vulnerabilities that are not already protected by the current WAF Security Policy.   Virtual Patching is the first step toward a tight integration between the Qu...
    Steve McBride
    last modified by Rémi Le Mer
  • Shared Assets and WAS/WAF integration

    WAS and WAF have a common licensing unit: Web Applications.   Qualys AssetView is the corner-stone of the WAF integration with WAS. Indeed, in order to cooperate, Qualys WAS and WAF modules need to share a comm...
    Steve McBride
    last modified by Rémi Le Mer
  • WAF Deployment Overview

    Qualys WAF is a virtual appliance designed for easy and flexible deployment and management. The management of the configuration is done through the cloud-based Qualys Portal, while the deployment is done on premise. Y...
    Steve McBride
    last modified by Rémi Le Mer
  • Qualys WAS Update - Portal 2.41

    Greetings all -   A new version of Qualys WAS is now available.  It is part of Portal 2.41 - aka Qualys Cloud Platform 2.41 release - and it's being deployed to all Qualys shared platforms over the next fe...
    Dave Ferguson
    last modified by Dave Ferguson
  • WAF SSL - Converting .pfx Certificate and Key files to Qualys WAF-compatible files

    When deploying Qualys WAF, the Portal needs to have encryption certificates and keys in the PEM format.  However, oftentimes (particularly when using Microsoft servers), you'll see an integrated certificate and k...
    Steve McBride
    last modified by Rémi Le Mer