WillB

Qualys WAS 4.1 API Release Notification

Blog Post created by WillB on Feb 27, 2015

A new release of Qualys WAS, Version 4.1 which includes an API update, is targeted for release in late April/early May depending on the platform.  See platform release dates at the end of this post  for more information.  The updated APIs for WAS 4.1 enhance the ability to fully automate and integrate the Qualys WAS solution with other customer applications.  WAS APIs enable customers to perform all the major functions within WAS including creating web applications to scan, launching and scheduling scans, and running and retrieving reports.  The APIs enable custom integrations with GRC tools, bug tracking systems and web application firewalls (WAFs) just to name a few.

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.1, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods. For more information on the new user interface (UI) features in WAS 4.1 see The specified item was not found..

 

Contents

This notification now describes all changes and additions to the WAS API based on features in WAS 4.1. It has been updated from the previously published notification that describes only the changes to XML and CSV output which could impact existing API implementations.

 

Below is a summary of the enhancements to the WAS API - this post also has an attached document with more details including example API calls for developers.

 

Full release notes will be available to customers on the day of the release.

 

 

Virtual Patch Support

WAS 4.1 lets you install virtual patches for selected vulnerabilities (detections) when your account has WAS and WAF enabled. Once installed we’ll automatically add firewall rules to block exploitation of the selected vulnerabilities. We’ve added new capabilities to the Finding API and Report API to help you manage virtual patches.

 

Finding API

  • Get Finding - now returns a patch reference element if a virtual patch is present
  • Search/Count Findings - new patch filter to identify findings with virtual patches

 

Report API

  • Create/Update Report - When creating or updating a report, you can choose to include/not include findings with virtual patches.

 

 

Proxy Support

WAS 4.1 lets you to define a proxy using the user interface and then apply the proxy to web application settings and/or scan settings for internal appliance based scans. You can reference the proxy ID for WAS service calls as shown below. Note that Proxy Support is a limited release feature - contact your technical account manager (TAM)  if you would like to be included in this limited release.

 

Web App API

  • Create/Update Web Application - add a default proxy id (already defined in UI)

 

Scan API

  • Launch Scan - specify the proxy to use for the scan

 

Scan Schedule API

  • Create/update Schedule - specify the proxy to use for the scan

 

 

New Search Parameters

New search parameters are available for Search and  Count requests in the Option Profile API.

 

Option Profile API

New Parameters

  • UsedByWebApps - filter profiles if used/not used by web applications
  • usedBySchedule - Filter profiles used/not used by scan schedules
  • owner.id - Filter profiles based on owner's user ID
  • owner.name - Filter profiles based on owner's full name (first and last name)
  • owner.username - Filter profiles based on owner's username (like acme_ab3)

 

 

Platform Release Dates

Qualys WAS 4.1 Release Notification - Available May 4th, 2015 on US Platform 1

Qualys WAS 4.1 Release Notification - Available April 28th, 2015 on US Platform 2

The specified item was not found.

 

 

 

 

Original WAS 4.1 API Notification

Below is the original blog post published February 27, 2015 describing only the changes to XML and CSV output in the WAS API which could impact existing API implementations. All information below is included above - it is provided for reference.

 

A new release of Qualys WAS, Version 4.1 which includes an API update, is targeted for release in late March/early April 2015.  The updated APIs for WAS 4.1 enhance the ability to fully automate and integrate the Qualys WAS solution with their existing applications.  WAS APIs enable customers to perform all the major functions within WAS including creating web applications to scan, launching and scheduling scans, and running and retrieving reports.  The APIs enable custom integrations with GRC tools, bug tracking systems and web application firewalls (WAFs) just to name a few.

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.1, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods.  One API modification in this release may impact existing API implementations and requires a 30-day notification.  The API changes have been made to enable proxy support for internal WAS scanning.  Proxy support will be a limited release feature.

 

Full release notes will be available to customers on the day of the release.

 

Proxy Support

Note:  A proxy is defined within the WAS user interface, then can be referenced by Proxy ID in the web service calls as shown below.

 

 

Web App API

  • Schema: webapp.xsd
  • Create/Update Web Application
  • GET web application

 

Sample API Request to update the web application default proxy:

<ServiceRequest>
  <data>
    <WebApp>
      <proxy><id>355538</id></proxy>
    </WebApp>
  </data>
</ServiceRequest>

















 

 

 

Scan API

  • Schema: scan.xsd / wasscan.xsd
  • Launch Scan

 

Sample API Request to launch a scan with a proxy set:

<ServiceRequest>
    <data>
        <WasScan>
            <name>New scan launched from API By Snehal</name>
            <type>DISCOVERY</type>
            <target>
                <webApp>
                    <id>353737</id>
                </webApp>
  <!-- <webAppAuthRecord>
  <id>0</id>
  </webAppAuthRecord>-->
  <proxy>
  <id>354736</id>
  </proxy>
            </target>
            <profile>
                <id>1072</id>
            </profile>

        </WasScan>
    </data>
</ServiceRequest>

















 

 

 

Schedule API

  • Schema: schedule.xsd / wasscanschedule.xsd
  • Create/update Schedule
  • Get Schedule

 

Sample API Request to schedule a scan with a proxy set:

<ServiceRequest>
<data>
  <WasScanSchedule>
    <name><![CDATA[scheduling Notification - from API- devtest1 ]]></name>
    <type>DISCOVERY</type>
    <active>true</active>
    <scheduling>
      <cancelAfterNHours>4</cancelAfterNHours>
      <startDate>2014-08-20T09:50:14Z</startDate>
      <timeZone>
        <code>US/Arizona</code>
        <offset>-07:00</offset>
      </timeZone>
      <occurrenceType>ONCE</occurrenceType>
    </scheduling>
    <notification>
      <active>true</active>
        <delay>
                <nb>555</nb>
                <scale>HOUR</scale>
        </delay>
        <message><![CDATA[This is from API...]]></message>
    </notification>
    <target>
      <webApp>
                        <id>324538</id>
      </webApp>
      <scannerAppliance>
        <type>INTERNAL</type>
      </scannerAppliance>
    <proxy>
  <id>355538</id>
      </proxy>
    </target>
    <profile>
        <id>1963</id>
      </profile>
  </WasScanSchedule>
</data>
</ServiceRequest>

















Attachments

Outcomes