Qualys announced a new release of QualysGuard Web Application Scanning (WAS) 2.1 that integrates with Selenium to help companies further automate scanning of web applications with complex authentication.
One of the challenges of dynamic application security testing (DAST) is the ability to successfully authenticate the application during a scan. QualysGuard WAS 2.1 uniquely addresses this challenge with support for Selenium scripts, which expands the ability of WAS 2.1 to perform authenticated web application scans and identify vulnerabilities.
The Selenium plug-in enables users to record their browser actions and save them as scripts that can then be replayed at a later time. Through its use of Selenium, WAS 2.1 can effectively scan web applications that require complex authentication with multi-step login processes.
“As financially-motivated attackers have shifted their focus to applications, Web application security has become a top priority. However, the responsibility for web application security cannot rest solely with information security,” said Neil MacDonald, vice president and Gartner fellow. “Enterprises should evaluate how to identify vulnerabilities in Web applications earlier in the development process as transparently as possible using web application security testing products or services.”
Qualys worked with enterprise customers such as Daimler AG to identify the best solution to record and play back complex authentication sequences required by some web applications. Daimler and other enterprise customers typically use the Selenium tool to record and play back user actions in a browser for testing web applications. By integrating the ability to play back Selenium scripts into the QualysGuard Web application scanner, Qualys has leveraged the technology and expertise that are already supported by enterprise customers to offer a powerful new way to perform authenticated scanning.
“While we now identify and eliminate vulnerabilities on network devices efficiently, this is not the case for web applications which have become the primary target of cyber attacks,” said Philippe Courtot, chairman and CEO for Qualys. “With the integration of the Selenium engine with our QualysGuard cloud-based web application scanner, we can now allow corporations and security consulting organizations to fully automate the discovery of vulnerabilities on web applications.”
In addition to Selenium support, QualysGuard WAS 2.1 provides key features including:
- Client Certificate Support: WAS 2.1 expands its reach with support for client SSL certificates that are required by many high-risk web applications. This update will provide users with the ability to upload client SSL certificate files which will then be used by WAS to perform authenticated scanning, expanding the scanning coverage and increasing the number of web application vulnerabilities identified.
- Post Data Black List: With Post Data Black Lists, users can identify pages for which forms should not be submitted. This prevents the potential impact of posting the forms but allows the page view to be evaluated for security vulnerabilities, increasing the coverage while lowering the risk of scanning impact on the application.
- Additional URL Support: WAS 2.1 expands coverage by enabling users to enter a list of links to be scanned that may not be linked to the initial URL.
QualysGuard WAS 2.1 is available immediately for U.S. customers and will be available for EU customers on December 15th, 2011. It is sold as annual subscriptions based on the number of web applications, and includes 24×7 support and full updates.