Related Links
Automated Web Application Security Assessment and Reporting that Scales with Your Business
QualysGuard® Web Application Scanning (WAS) enables organizations to assess, track and remediate web application vulnerabilities. Delivered on demand, the new service allows users to:
- Crawl web applications
- Identify cross-site scripting and SQL injection vulnerabilities
- Detect sensitive content in HTML based on user settings
- Conduct authenticated and non-authenticated scanning
QualysGuard WAS automates techniques used to identify most web vulnerabilities and delivers a broad scope of coverage for testing web application vulnerabilities such as those in the OWASP Top 10 and WASC-TC, including "SQL injection", "cross-site scripting" and "web site misconfigurations". The WAS scanning engine combines pattern recognition and observed behaviors to accurately identify and verify vulnerabilities.
QualysGuard WAS draws upon the same highly accurate scanning infrastructure and technology as Qualys' flagship solution QualysGuard. Users can manage web applications, launch scans and generate reports using the familiar QualysGuard UI.
Features of QualysGuard Web Application Scanning:
-
- Automated Crawling and Link Discovery
- The sophisticated scanning engine features several techniques to effectively crawl a web site. The crawler attempts to cover as much of the target web site's functionality as possible by balancing the breadth and depth of the crawl (up to 5,000 links per web application) in addition to avoiding redundant and recursive links. The web crawler parses HTML and extracts links it encounters, including custom links.
-
- Identify Web Application Vulnerabilities
- Web application scans analyze the security of your web applications and identify detected vulnerabilities, sensitive content data and information gathered data. The test phase of WAS searches for common vulnerabilities such as SQL injection, cross-site scripting, source disclosure, and directory traversal.
-
- Analyze Web Application Threats with Powerful Reporting
- The QualysGuard reporting engine breaks down problems into types of vulnerabilities such as cross-site scripting or SQL injection for a single web site, and also generates summary vulnerability information across groups of web applications. QualysGuard WAS offers Scorecard and Interactive reports that draw on data returned from the most recent web application scan. A web application scorecard report identifies the vulnerabilities and sensitive content detected for one or more target web applications in your account. The interactive report allows users to change report settings (e.g., detections, URI filters, etc.) on the fly for different views of your web application scan data.
-
- Authenticated Scanning
- Given only a user name and password, the web crawler automatically identifies HTML form login page(s), and monitors the session state to ensure an authenticated scan remains authenticated throughout the crawl. Multiple authentication scanning methods are supported for each scan; including Form, HTTP Basic, NTLM and Digest.
-
- Black/White List
- Black/white lists provide users a way to ensure that only selected parts of the web application will be scanned. A black list prevents the crawler from visiting certain links, while a white list instructs the crawler to only visit links explicitly defined.
-
- Sensitive Content Search
- This feature enables automated expression searches for content in HTML, such as social security numbers, credit cards as well as custom strings.
-
- Performance Tuning and Scheduling
- Determine bandwidth levels for parallel scanning to control impact on application performance. Crawling and scans can also be scheduled on demand to further minimize impact on operations.
Benefits of QualysGuard Web Application Scanning
- On demand, real time assessment of web application security
- Lowers total cost of operations by automating repeatable testing processes
- Identifies vulnerabilities of syntax and semantics in custom web applications including cross-site scripting and SQL injection vulnerabilities
- Profiles the target application and performs authenticated crawling and auditing
- Improves accuracy and reduces false positives through profiling of web site
- Scales to scan any number of web applications, internal or external in production or development environments, using the QualysGuard Software-as-a-Service (SaaS) platform
| Subscription Options | |
|
|
| QualysGuard WAS is priced as a prepaid annual subscription based on the number of web applications (urls) scanned. |
1 YEAR SUBSCRIPTION (EXTERNAL + INTERNAL) |
| Enterprise Edition | |
|---|---|
| Maximum # of Users | Unlimited |
| Maximum # of Applications | Unlimited |
| Maximum # of Scanners | Unlimited |
| Maximum # of Scans/Crawls | Unlimited |
| QualysGuard XML APIs | Add. Fee |
| Express Edition | |
| Maximum # of Users Per Suite Account | 6 |
| Maximum # of Applications | 200 |
| Maximum # of Scanners | 2 |
| Maximum # of Scans/Crawls | Unlimited |
| QualysGuard XML APIs | Add. Fee |
| Also Includes | |
| 24x7x365 Email/Telephone Customer & Technical Support |
|
| Web-based Training & Regional Certification Workshops |
|
| Attendance to All Qualys User Conferences & Seminars |
|
QualysGuard WAS is also available as part of the QualysGuard Security & Compliance SaaS Suite, which also includes:
Contact sales for an immediate price quote, or sign up for a 14 Day Trial.
Customers and Awards
Performing over 150 million IP audits per year, QualysGuard is the widest deployed security on demand solution in the world. Qualys is selected by thousands of large and small organizations around the world. See customer success stories >
QualysGuard is overwhelmingly recognized as the leader in its space. QualysGuard has won awards ranging from Best Vulnerability Management Solution, Best Security Product, Best Security Company, Best Network Protection Service and much more. See award details >
