• Progressive Scanning: How to know when the entire application has been scanned

    When using the progressive scanning feature in Qualys WAS, you may not be able to tell from the scan list if your web application has been completely scanned or not. You will see the progressive scan count increase ev...
    Ian Johnson
    last modified by Robert Dell'Immagine
  • Customizing the "Core" Detection Scope

    Some customers have asked how to customize the default "Core" detection scope in WAS (e.g., remove certain QIDs or add others).  This would be accomplished using the "Custom Search Lists" scope as follows.  ...
    Dave Ferguson
    last modified by Dave Ferguson
  • WAS Engine 7.2 Released

    Greetings!   WAS Engine 7.2 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WAS scanning engine.  Th...
    Dave Ferguson
    last modified by Dave Ferguson
  • How to create an Exception from a security event

    Exceptions are made for managing false-positive or false-negative events. The addition of the Exception subsystem into the Qualys WAF service provides significant flexibility in service management and security policy...
    Steve McBride
    last modified by Rémi Le Mer
  • How to create and deploy a Virtual Patch

    Virtual Patches are meant for protecting unitary vulnerabilities that are not already protected by the current WAF Security Policy.   Virtual Patching is the first step toward a tight integration between the Qu...
    Steve McBride
    last modified by Rémi Le Mer
  • Shared Assets and WAS/WAF integration

    WAS and WAF have a common licensing unit: Web Applications.   Qualys AssetView is the corner-stone of the WAF integration with WAS. Indeed, in order to cooperate, Qualys WAS and WAF modules need to share a comm...
    Steve McBride
    last modified by Rémi Le Mer
  • WAF Deployment Overview

    Qualys WAF is a virtual appliance designed for easy and flexible deployment and management. The management of the configuration is done through the cloud-based Qualys Portal, while the deployment is done on premise. Y...
    Steve McBride
    last modified by Rémi Le Mer
  • New Detections Rolling Out for Vulnerable CMSs and CMS Plugins

    In a previous post, we described how Qualys WAS added new informational QIDs to report CMS versions and CMS plugins found on your scanned web applications.  Now, as part of the continuous improvement of the scann...
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys WAS Update - Portal 2.41

    Greetings all -   A new version of Qualys WAS is now available.  It is part of Portal 2.41 - aka Qualys Cloud Platform 2.41 release - and it's being deployed to all Qualys shared platforms over the next fe...
    Dave Ferguson
    last modified by Dave Ferguson
  • WAF SSL - Converting .pfx Certificate and Key files to Qualys WAF-compatible files

    When deploying Qualys WAF, the Portal needs to have encryption certificates and keys in the PEM format.  However, oftentimes (particularly when using Microsoft servers), you'll see an integrated certificate and k...
    Steve McBride
    last modified by Rémi Le Mer
  • WAF - Configuring your Application for SSL

    Qualys WAF includes comprehensive support for encrypted web applications and, while configuration is very simple, there are a few key concepts to keep in mind to properly configure a web application for SSL support. &...
    Steve McBride
    last modified by Rémi Le Mer
  • Progressive Scanning Explained

    Progressive scanning is a feature within Qualys Web Application Scanning (WAS) that is now available to all customers. The intent and goal of progressive scanning is to add a mechanism to effectively scan very large w...
    Dave Ferguson
    last modified by Dave Ferguson
  • Viewing Web Application Response Headers For Validating QIDs

    Introduction Response Headers QIDs Response Headers and Redirects Methods to View Response Headers Method 1: Chrome Browser Developer Tools Method 2: Firefox Browser Web Developer Method 3: OWASP...
    John Delaroderie
    last modified by John Delaroderie
  • WAS Engine 7.1 Released

    Greetings all!   WAS Engine 7.1 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WAS scanning engine. ...
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys WAS Update - Portal 2.40

    Greetings all!   A new version of Qualys WAS is now available.  It is part of Portal 2.40 - aka Qualys Cloud Platform 2.40 release - and it's being deployed to all shared platforms over the next few days.&#...
    Dave Ferguson
    last modified by Dave Ferguson
  • WAS Engine 7.0 Released

    Greetings all!   I'm pleased to announce that WAS Engine 7.0 has been released to all Qualys shared platforms.  This new version adds support for TLS 1.3.  A huge amount of testing went into this relea...
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys Browser Recorder v1.1.6 Now Available

    Greetings all -   I'm pleased to announce that Qualys Browser Recorder (QBR) version 1.1.6_6 has been released.  First released by Qualys in 2018, QBR is an extension for the Chrome web browser that allows ...
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys WAS update - Portal 2.39

    Greetings!   A new version of Qualys WAS is now available.  Portal 2.39 - aka Qualys Cloud Platform 2.39 release - is being deployed to all shared platforms this week and includes UI and API changes for WAS...
    Dave Ferguson
    last modified by Dave Ferguson
  • Blind Elephant Supported Detections

    The static-file web application fingerprinting function of Qualys Suite, which is based on the open-source project Blind Elephant, detects the following web applications, plugins and extensions:     Open Sou...
    Robert Dell'Immagine
    last modified by Robert Dell'Immagine
  • Jenkins Plugin for Qualys WAS

    The Jenkins plugin for Qualys WAS empowers DevOps teams to build application vulnerability scans into their CI/CD processes. By integrating and automating scans in this manner, application security testing is accompli...
    Dave Ferguson
    last modified by Dave Ferguson