I just wanted to know how frequently Qualys WAS upgrade signature for new vulnerabilities?
I don't like to use the term "signatures" when it comes to WAS. A signature implies there is a known vulnerability in a certain piece of software (often with an associated CVE). The purpose of WAS is to test for unknown vulnerabilities & weaknesses in web applications. Most organizations are primarily concerned with scanning their custom web apps that were built in-house.
That said, new QIDs are introduced into WAS several times a year. There's no set number or regular release schedule for them. You can think of a new QID as a new vulnerability test or new detection capability. Examples from this year are:
There's very rarely a new vulnerability type discovered in the world of web app security (although it does happen, an example being clickjacking aka UI redressing, but even that was 8 years ago). New QIDs added into WAS are not typically high severity items and may be rather uncommon, but implementing them provides more comprehensive detection capability and makes the product better overall.
Beyond adding new QIDs, the WAS engineering team has a continuous effort to improve scan efficiency, fix bugs, and implement better support for frameworks (e.g., SmartScan for AngularJS and others). Also the scanner's payloads may be tweaked or methodology changed to achieve better vulnerability detection and generally reduce false positives and false negatives. It's a never-ending effort due to the complexity and enormous diversity of web apps that WAS encounters. None of these activities involve new QIDs.
The bottom line is that dynamic scanners must adapt to the changing landscape of web applications. If your scanner isn't constantly on the quest toward improvement, then it will become obsolete. A scanner written 10-15 years ago and never updated would be almost worthless in today's landscape.
Unlike VM, where each QID is a signature to detect a specific vulnerability on a host OS, app etc.... the WAS QID is a vuln category.
Like XSS is not a signature in itself, its a category of vulns... so is it with SQLi and others.
The WAS QID's would be updated when we have a new category of vulns to detect which may not be every day.
How frequently does Qualys add new category? is it monthly, weekly or yearly?
And what is the meaning here by category? is it like new vulnerability in the market?
dferguson Can you please clarify my queries?
Retrieving data ...