Web application scanning on a new level

Qualys announced the release of QualysGuard WAS 2.0 with several major enhancements to help customers catalog their web applications on a global scale and scan them for vulnerabilities that can lead to exploitation.

The new release, delivered via the QualysGuard SaaS platform and its new Java-based backend comes with a new Web 2.0 User Interface that raises the bar in terms of ease-of-use, flexible reporting and automation of scanning tasks.

“Software flaws are a significant source of loss through security and safety incidents, and they also result in greatly increased development and maintenance costs.” Moreover, “dynamic testing — and Web application scanning in particular — is an important component of software assurance and security testing — one that plays an increasingly important role in enterprise software security programs,” said Ramon Krikken, research director for Gartner.

Major enhancements in QualysGuard WAS 2.0 include:

• Cataloging and scanning of web applications in the enterprise (Intranet, Internet) or in the cloud, including Amazon EC2 and VPC platforms
• Fully interactive UI with flexible workflows and reporting
• Supports scanning HTML web applications with JavaScript and embedded Flash
• Comprehensive detection of custom web application vulnerabilities including:
  • OWASP Top 10 vulnerabilities: SQL injection, cross-site scripting (XSS), source disclosure, directory traversal
  • Checks web applications’ handling of sensitive or secret data
  • Reports on recommended secure coding practice and configuration
  • Differentiates exploitable fault-injection problems from simple information disclosure
• Customizable scanning options:
  • Customized crawling using Black/White lists and Robots.txt and Sitemap.xml files
  • Supports common authentication schemes
  • Performs brute force attack using pre-defined and custom password lists
  • Profiles custom web application behaviors
  • Configures scanning performance with customizable performance level.

“Based on our new Java-based backend that leverages Web 2.0 UI technologies, this release brings web application scanning to an unprecedented level of automation and functionality,” said Philippe Courtot, chairman and CEO for Qualys. “This new release allows customers and service providers to catalogue and scan thousands of web applications within the enterprise or in the cloud at a price point any organization can afford.”