Qualys takes step towards complete automation of web app security

Qualys announced Qualys Web Application Firewall (WAF) version 2.0 that comes fully integrated with the Qualys Web Application Scanning solution (WAS).

Presented at RSA Conference 2015, the new release includes virtual patching capabilities to enable organizations to fine-tune security policies, remove false positives and customize rules leveraging vulnerability data from the Qualys WAS. Qualys WAF also includes customizable event response, helping customers evaluate and create exceptions to web events to better prioritize and mitigate vulnerabilities, making it one of the first end-to-end web application security services to combine WAF security rules and policies with WAS data to address web application security threats.



As hackers continue to find new ways to penetrate web applications, WAFs can detect, alert and block known attacks. With the latest version of Qualys WAF, users can now create “virtual patch” rules in direct response to their Qualys WAS findings, to enable rapid false positive resolution, as well as customization of security rules tailored for the organization’s environment. This helps customers better tune security policies, quickly remove false positives, and easily customize WAF security rules for web applications.

Qualys Web Application Firewall brings scalability and simplicity to web app security. Its automated, adaptive approach provides organizations with the following:

  • Easy set-up. Qualys WAF is deployed as a virtual image alongside web applications. It can be set up and configured in minutes, requiring no equipment or admin resources or dedicated security staff to get set up and running.
  • Real-time application defense and hardening. Qualys WAF blocks attacks against websites in real time. The service provides a shield around coding defects, application framework flaws, web server bugs, and improper configurations.
  • Seamless, automatic updates, increasing security over time. Running on the Qualys Cloud Platform, the WAF service is updated automatically with new defenses from the Qualys research team, and the defense is activated intelligently according to specified policies – all without disrupting the websites or site visitors.
  • Centralized Cloud Management. Delivered via the Qualys Cloud Platform, WAF can be centrally managed from anywhere in the world via the Qualys console. It provides a clear dashboard showing timelines and geo-location graphs of events. The cloud platform also provides maximum efficiency by security events from all customers, with immediate rules deployment to all WAFs connected to it.
  • Tight integration with Qualys Web Application Scanning
    Qualys WAS provides customers the ability to continuously discover, catalog and scan thousands of web applications on a global scale with a high degree of accuracy. It crawls and tests web applications for OWASP top 10 risks, SQL injection, Cross-Site Scripting, and web site misconfigurations. When it identifies a threat or a risk, it can automatically deploy the relevant virtual patch to the Qualys WAF to mitigate associated risks.

    Additionally, Qualys WAF monitors all web pages visited by users and automatically shares this information back to the web application scanner, ensuring these pages are not missed during the next scan. Such an approach helps block attacks on web app vulnerabilities, prevent disclosure of sensitive information and control where and when applications are accessed.

    Qualys Web Application Firewall is now available and sold as an annual subscription starting at $1,995 for small businesses and $9,995 for larger enterprises based on the number of web applications and virtual appliances.

    “Many organizations are struggling to find a balance between identifying and effectively addressing vulnerabilities fast enough to avoid falling victim to large-scale breaches,” said Philippe Courtot, chairman and CEO of Qualys. “By integrating security rules and policies from our WAF solution with Qualys WAS data, we are providing significant value to our customers with the flexibility and automation needed to tackle web application security threats. It’s a giant step towards complete automation of web application security.”