QualysGuard SECURE Seal FAQ

• Do I need to install anything on my web site to use Qualys SECURE Seal Service?
• How does Qualys SECURE Seal work?
• Can the Qualys SECURE Seal be customized for display on our web site?
• How do I find guidelines for displaying the seal on my web site?
• How often will our web site be tested?
• What happens when an issue is detected?
• What types of issues will take a web site out of compliance for the Qualys SECURE Seal service?
• Why is my web site failing with a single vulnerability that lists my blacklisted resources?
• Does Qualys SECURE Seal service provide remediation instructions to fix network perimeter and web application vulnerabilities?
• How do Seal scans compare to individual VM and WAS scans?
• Upon scanning my web site with SECURE Seal, I am getting numerous emails as a result. How do I stop these emails?
• My SECURE Seal scans identify different perimeter/certificate findings for my web site when a new scan was run. Why is this?
• What should I do if Malware is found on my web site?
• How do I change my password?
• Will Qualys use this scan data for any other purposes?

Do I need to install anything on my web site to use Qualys SECURE Seal Service?

Yes. Once you have created your account and entered your web site domain, you are given a snippet of HTML code that you embed on your site. Qualys SECURE Seal Service will analyze your website from our servers in the cloud with no need for any software to be installed on your web server.

How does Qualys SECURE Seal work?

The Qualys SECURE Seal is simple to install. After purchasing and signing up, you receive a snippet of HTML that you embed on your site. The Qualys SECURE Seal trustmark will automatically be displayed on your site after your sites passes a Qualys SECURE Seal scan consisting of the following:

• Malware Scan
  Evaluates the web site for malicious software that could infect site visitors.
• Network Perimeter Vulnerability Scan
  Identifies externally facing vulnerabilities on the web server that allow attackers to access specific information stored on the host.
• Web Application Vulnerability Scan
  Scans for vulnerabilities in dynamic web applications, such as SQL, to ensure consumers interact with web sites that safeguard their personal information.
• SSL Certificate Validation
  Validates the web site’s SSL certificate is valid and current.

Can the Qualys SECURE Seal be customized for display on our web site?

No. Do not modify the Qualys SECURE Seal trustmark in any way. See the SECURE Seal Usage Guidelines for details on displaying the trustmark. This document outlines the seal specifications and display requirements (sizing and clear space).

How do I find guidelines for displaying the seal on my web site?

Please see the SECURE Seal Usage Guidelines document for information about displaying the seal on your web site.

How often will our web site be tested?

Qualys will automatically scan you site on a recurring basis:

• Malware Scan – daily
• Network Perimeter Vulnerability scan – weekly
• Web Application Vulnerability scan – weekly
• SSL Certificate Validation – weekly

You may also scan your site “on-demand” at any time

What happens when an issue is detected?

If Qualys SECURE Seal indentifies an issue during a scan, you are sent an email notification. The email directs you to login to the Qualys SECURE Seal portal to review and fix the security issues(s) identified by the scan.

The Qualys SECURE Seal trustmark is only displayed by merchants who remediate discovered malware and critical vulnerabilities from their website within the specified grace period of 72 hours. Should the issues(s) remain unresolved beyond 72 hours, the Qualys SECURE Seal trustmark will be revoked and no longer displayed until the problems have been resolved. You may re-scan your site at any time via the Qualys SECURE Seal portal.

What types of issues will take a web site out of compliance for the Qualys SECURE Seal service?

Qualys SECURE Seal indentifies malware and vulnerabilities when the scan is conducted. The Qualys SECURE Seal will be removed if security issues, including but not limited to the following, are detected:

• Malware of any type
• Validation issues associated with the SSL Certificate
• Critical severity Perimeter Vulnerabilities
• Cross-Site Scripting (XSS) issues
• Susceptibility to SQL Injection, Command Injection, HTTP Response Splitting, Local or Remote File Inclusion Vulnerabilities
• The login form is not being submitted over an encrypted channel

Why is my web site failing with a single vulnerability that lists my blacklisted resources?

Your web site will fail our security tests if you have added a list of blacklisted resources for your web site. The finding will report a list of the blacklisted resources which were defined for the web site at the time of the scan. Important: When there are blacklisted resources, all SECURE Seal scans will fail and the seal will not be displayed on your web site. To display the seal you must follow these steps: 1) Go to the web site details, 2) Click "Edit WAS Scan Options" under Actions and remove all of the site's blacklisted resources, and 3) Launch a SECURE Seal scan. You can wait for the next scheduled scan or click "Scan Now" to start the scan right away. If there are pages that you believe should not be included in the Seal Scan, please select ‘Request Exception’ in the management portal.

Does Qualys SECURE Seal service provide remediation instructions to fix network perimeter and web application vulnerabilities?

Yes. Qualys provides links to fixes or workarounds from scan results to help network administrators remedy vulnerabilities. Our Security Engineers have validated each solution in our vulnerability lab to ensure that they function as specified for the appropriate operating system.

How do Seal scans compare to individual VM and WAS scans?

All Seal scans are run from the cloud and examine only internet facing web sites. Seal uses the URL of the web site to identify the target. There are no configuration options for Seal scans in contrast to both VM and WAS scans which both have a wide range of configuration options.

The Seal VM scan begins with TCP and UDP host discovery using the ‘Standard Scan’ configuration in VM, which examines approximately 1900 TCP ports and 180 UDP ports. Once the port discovery is completed a complete vulnerability scan is conducted. The scan is done intelligently, meaning that the discovery results and ongoing scan results will guide the subsequent scans. For example, it the scans show that the Web Server is a Microsoft IIS Server then the vulnerability scan will not launch checks against a Linux web server.

Seal WAS scans cover a subset of the full WAS scans, returning results for the most critical vulnerabilities.

Upon scanning my web site with SECURE Seal, I am getting numerous emails as a result. How do I stop these emails?

You have encountered a form on your web site that is designed to send emails. When the service is scanning for web application vulnerabilities, the web crawler exercises these forms. In order to prevent the emails from being sent, you will need to update your web site's source code. This can be done as follows:

• Modify your web site's code for the forms to NOT send emails. This is best business practice.
• Add a spam rule to your web site's code to throw away emails from "was@qualys.com", or emails from your web site that have the value "was@qualys.com" in them. This is the default email address that the SECURE Seal web application scanner uses for injecting email form fields.
• Add a list of blacklisted resources for your web site while you are remediating security issues. Go to the web site details section and click "Edit WAS Scan Options" under Actions. You have the ability to add a list of blacklisted resources for WAS scans. Important: When there are blacklisted resources, all SECURE Seal scans will fail and the seal will not be displayed on your web site. To display the seal you must first remove all of the site's blacklisted resources, and then launch a SECURE Seal scan.

The SECURE Seal service needs to run security tests on all forms it encounters on a web site to be sure all forms are not susceptible to SQL injection, Cross-Site Scripting (XSS), or other security issues.

My SECURE Seal scans identify different perimeter/certificate findings for my web site when a new scan was run. Why is this?

When you added your web site, if you selected the option "Let Qualys Choose Each Time" the service selects an IP address each time you run a SECURE Seal scan based on the network information available at the time of the scan. It's possible that your scans target different IP addresses when you run your scans. In this case the perimeter findings and the certificate findings may be different and this may cause your SECURE Seal scans to fail.

What should I do if Malware is found on my web site?

If malware is detected on your web site there are many ways that it can be hiding in your source code. Please carefully review the malware details provided by the Malware Detection Service.

The ideal way to remove malware is to use a known, clean backup to restore your site. You need to be certain that the backup is clean and no changes have been made to the site since the backup.

To remove malicious code, remove the suspicious block of script identified by the service in the malware details. You can look at malware details per web page in the malware scan details. Alternatively you can look at malware details by Qualys ID [QID] in the malware findings section and once you verify that the block of script doesn’t belong, that section should be removed.

These are additional ways you can identify malware within an affected web page:

• Identify a block of script that is completely obfuscated. This means you see a bunch of random characters or numbers inside script tags on your page. One way to find such blocks of script is to search for “eval ( base64_decode(“, which will be followed by the obfuscated code.
• Look for cases of “<script src=” followed by a site or file that you don’t recognize as valid. To verify that a script file has been compromised, look a the contents of the script file and try to identify things that are out of place.
• Look for every “<iframe src” tag on your page and locate any that don’t belong. This “src” will usually point to a site not in your control and this is typically hidden using tags like “height=0 width=0” or “style=display.none”. Be aware that advertisers tend to use similar methods when doing legitimate ad tracing.
• Identify new files with suspicious or unknown names. Some files may also be in a suspicious location, such as .php file in your /images folder.

Once you have cleaned up your web site, please rescan using the SECURE Seal service to verify the malicious content is gone (see Remediation). Important Note: While fixing your web site code cleans up the web site, it probably doesn't close the hole that allowed the content to get there in the first place. Please ensure your machines are fully patched and any vulnerabilities identified in the SECURE Seal VM and WAS scans are remediated.

How do I change my password?

in the upper right of the management portal, under the “Welcome (your name)” drop down is a selection to change your password. Simply enter your current password and the new password [twice].

Will Qualys use this scan data for any other purposes?

Yes. The scan data will be used in aggregate with other scans to improve the accuracy of the scanning service and to identify new threats and trends across the internet. The scan data is securely stored and handled. All use of the data is fully anonymized and can’t be tracked to any specific IP address or web site, so there is no danger of information about your web site ever being disclosed.

• Support
• SECURE Seal FAQ