Available on the new QualysGuard backend and UI, WAS 2.1 is a fully automated and scalable solution for cataloging and scanning web applications on a global scale and also features integration with Selenium to automate and simplify authenticated scanning.
This new release of QualysGuard® WAS 2.1 will be available in production on December 31st, 2011 (note new release date). This release is completely transparent to users and will require no scheduled downtime The release will occur between 22:00 GMT and 04:00 AM GMT next day.
QualysGuard WAS 2.1 Features:
- Discover, Catalog, Organize and Scan: WAS 2.1 provides organizations with the ability to discover and catalog all the web applications in their environment. Many organizations have dynamic environments that make it difficult to obtain current information on the web applications that may be present within the environment. WAS 2.1 can help organizations inventory the applications and ensure that undocumented applications are included within the application security scanning program. Subscribers can use the catalog to organize and prioritize the web applications identified to ensure those with the highest risk are scanned for vulnerabilities.
- New Web 2.0 UI: WAS 2.1 introduces a new easy-to-use interface that includes step by step wizards, contextual quick action menus and configurable help tips to give you hints when you need assistance.
- Dashboard: The dashboard gives users a comprehensive view of scans, results and reports. The most recent information about completed scans, reports and identified vulnerabilities are all available. Users can initiate actions directly from the dashboard to reschedule scans, review their web application catalog, view the most vulnerable web applications or review recent reports. The information presented only includes information for the web applications the user has been given access to.
- Interactive Reporting: Interactive reporting supports powerful analysis and secure distribution of scan results. Web application, scan and scorecard reports can be created, saved and scheduled to run on a recurring basis. The encrypted PDF support ensures secure and compatible distribution to stakeholders. Interactive reports allow users to drill down to view only the information they need. WAS 2.1 includes the ability to restrict users to view only reports for specific web applications. This enables organizations to give application owners and developers appropriate access to WAS which they can then use to view, filter and sort the scan results as needed.
- User Roles and Scopes: The new version supports the creation of user defined roles and scopes. Each organization can create the roles they need to support their user base, and assign appropriate permissions to each role. Tags are used to scope what each user can view, and the roles and permissions dictate what actions they can take on the information they can view. This can be used to include all the application security stakeholders by creating tags with limited scope and assigning the tags to users.
- Tagging: Tagging has been introduced in WAS 2.1. Tagging is a flexible way to categorize objects with in WAS. The categorization can be used to limit the data a user can view or to segment data for reporting. A user can be assigned a tag for a business unit and then only the web applications that share that tag will be visible to the user. This allows organizations to tightly control what data each user can view. Web applications can also be assigned a specific tags such as 'high risk', 'medium risk' or 'low risk' which can then be used to support drill-down using the interactive Scorecard report.
- Action Log: The new version includes Action Log support which allows organizations to audit activity within the application. The Action Log can be easily filtered so that managers can quickly drill in on the activities they need to review. Contextual log views are available for web applications and other critical objects in the system.
Selenium Authentication Support: WAS 2.1 adds support for Selenium scripts, which expands the ability of WAS to perform authenticated web application scans and identify vulnerabilities. The Selenium plugin (http://seleniumhq.org/projects/ide/) enables a user to record his browser actions and save them as a script that can then be replayed at a later time. Through its use of Selenium, WAS 2.1 can effectively scan web applications that require complex authentication with multi-step login processes.
Client Certificate Support: WAS 2.1 expands its reach with support for client SSL certificates that are required by many high risk web applications. Many web applications in the financial and government sectors utilize client SSL certificates for two-factor authentication (TFA). This update will provide users with the ability to upload client SSL certificate files which will then be used by WAS to perform authenticated scanning, expanding the scanning coverage and increasing the number of web application vulnerabilities identified.
Switch from WAS 1.0 to WAS 2.1:
For customers that are already using WAS 1.0 there is a update feature that will initialize all the account information and migrate scan data to the new WAS 2.0 platform. Users with the manager role will be able to choose data migration options that allow them to copy their existing web applications and related data to the new environment or to start in the new 2.0 environment without moving the legacy version 1.0 data. A document outlining the version update can be found at https://community.qualys.com/docs/DOC-2952
To receive more information on QualysGuard WAS 2.1, please visit the Qualys WAS community or contact your Technical Account Manager.