• HTTP vs HTTPS for a site

    If i configure a site as specifically HTTPS does the scanner check to see if the site also listens on HTTP ?     The same the other way around ?    I'd almost expect the site to scan on HTTP...
    Andrew Craick
    last modified by Andrew Craick
  • Progressive Scanning: How to know when the entire application has been scanned

    When using the progressive scanning feature in Qualys WAS, you may not be able to tell from the scan list if your web application has been completely scanned or not. You will see the progressive scan count increase ev...
    Ian Johnson
    last modified by Robert Dell'Immagine
  • Redirection on a browser tab

    Hello, I have a scan to make on a web application. On one of the links of the first application there is a redirection on a tab. I can not get qualys to scan the second application. Is this a problem due to the open...
    last modified by Cyril GABILLAUD
  • Customizing the "Core" Detection Scope

    Some customers have asked how to customize the default "Core" detection scope in WAS (e.g., remove certain QIDs or add others).  This would be accomplished using the "Custom Search Lists" scope as follows.  ...
    Dave Ferguson
    last modified by Dave Ferguson
  • WAS Engine 7.2 Released

    Greetings!   WAS Engine 7.2 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WAS scanning engine.  Th...
    Dave Ferguson
    last modified by Dave Ferguson
  • Configuration for local environment scans

    Good morning friends, How do I perform a scan on a web application that is on the internal network? Is there any configuration in Qualys so that I can scan hosts from a LAN as I mentioned?
    Felipe Paranhos da Silva
    last modified by Felipe Paranhos da Silva
  • Generate report web application scanning

    Hi,  I want to extract report from result of scan web application, I want to extract only severity 3,4 and 5. The first thing I notice, is verry differnt with generating report in vulnerability management. I t...
    last modified by AMADOU DIALLO
  • How to create an Exception from a security event

    Exceptions are made for managing false-positive or false-negative events. The addition of the Exception subsystem into the Qualys WAF service provides significant flexibility in service management and security policy...
    Steve McBride
    last modified by Rémi Le Mer
  • How to create and deploy a Virtual Patch

    Virtual Patches are meant for protecting unitary vulnerabilities that are not already protected by the current WAF Security Policy.   Virtual Patching is the first step toward a tight integration between the Qu...
    Steve McBride
    last modified by Rémi Le Mer
  • Shared Assets and WAS/WAF integration

    WAS and WAF have a common licensing unit: Web Applications.   Qualys AssetView is the corner-stone of the WAF integration with WAS. Indeed, in order to cooperate, Qualys WAS and WAF modules need to share a comm...
    Steve McBride
    last modified by Rémi Le Mer
  • WAF Deployment Overview

    Qualys WAF is a virtual appliance designed for easy and flexible deployment and management. The management of the configuration is done through the cloud-based Qualys Portal, while the deployment is done on premise. Y...
    Steve McBride
    last modified by Rémi Le Mer
  • New Detections Rolling Out for Vulnerable CMSs and CMS Plugins

    In a previous post, we described how Qualys WAS added new informational QIDs to report CMS versions and CMS plugins found on your scanned web applications.  Now, as part of the continuous improvement of the scann...
    Dave Ferguson
    last modified by Dave Ferguson
  • WAS - How does authentication test works ?

    I'm not sure why the authentication tests fail with my webapp.   The report says the form is found at the DNS link, but the authentication form is actually where the index.php redirects. Anyway, the report fin...
    Emmanuel PAULIN
    last modified by Emmanuel PAULIN
  • Finding out legacy TLS v1.0

    I need to find out whether a given website still supports TLS v1.0 and tried customizing the default "Core" detection scope in WAS by adding a  "Custom Search Lists".   Unfortunately while adding ...
    Luca Gualteri
    last modified by Luca Gualteri
  • Qualys WAS Update - Portal 2.41

    Greetings all -   A new version of Qualys WAS is now available.  It is part of Portal 2.41 - aka Qualys Cloud Platform 2.41 release - and it's being deployed to all Qualys shared platforms over the next fe...
    Dave Ferguson
    last modified by Dave Ferguson
  • SSL website scan via VM or WAS?

    Hi Everyone,    I am new to Qualys and getting through first hurdles - clean slate, slowly building up my asset collection.    I am trying to scan several domains and report supported SSL/TL...
    Tom S
    last modified by Tom S
  • Limited-scope user has access to modules outside of Role-defined limits

    We setup our WAS security personnel with permissions limiting them to WAS and Reporting from within Role Management over a year ago. However, during a recent audit, we found that these users actually have access ...
    Robert Sloan
    last modified by Robert Sloan
  • WAF SSL - Converting .pfx Certificate and Key files to Qualys WAF-compatible files

    When deploying Qualys WAF, the Portal needs to have encryption certificates and keys in the PEM format.  However, oftentimes (particularly when using Microsoft servers), you'll see an integrated certificate and k...
    Steve McBride
    last modified by Rémi Le Mer
  • WAF - Configuring your Application for SSL

    Qualys WAF includes comprehensive support for encrypted web applications and, while configuration is very simple, there are a few key concepts to keep in mind to properly configure a web application for SSL support. &...
    Steve McBride
    last modified by Rémi Le Mer
  • Feature request: WAS plug-in for Azure DevOps

    We would like to integrate WAS into CI/CD process of Azure DevOps. However, it seems WAS plug-in currently exists only for Jenkins. Can you create a WAS plug-in to integrate into Azure DevOps CICD process?
    Srinivasa Yennam
    last modified by Srinivasa Yennam