Qualys Web Application Scanning (WAS) Connector Guide

How to set up and use the Qualys Web Application Scanning (WAS) connector in RiskSense.

Qualys Web Application Scanning (WAS) Connector Overview

Qualys Web Application Scanning (WAS) is a cloud-based web application security scanner that identifies vulnerabilities through automated crawling and testing of custom web applications. RiskSense offers an API-based connector that integrates Qualys WAS vulnerability information into the RiskSense platform for further prioritization and accessibility.

Qualys WAS Configuration

  • This process requires an account with Qualys and access to the WAS module.
  • Add one or more Application(s) to Qualys WAS. Create and save a Web Application Report.
  • View the Qualys WAS Data Export Guide for more information on how to create and save a report.

The Qualys WAS Connector only pulls WAS_WEBAPP_REPORT scan files. Users must manually upload WEB_APPLICATION_SCAN and WAS_SCAN_REPORT files, if desired.

Qualys WAS User Permissions

A Qualys user can be assigned to one or more roles, which consolidate permissions that represent the rights to access features and functions. API Access can be given to a user when assigning or editing their role.

Locate Users in the navigation bar and either create or edit an existing user. In the pop-up window, select a User Role. Then, select or deselect the API checkbox. Click Save.

Qualys WAS Connector - New User

For more information, please visit Qualys.Community.

Connector Configuration in RiskSense

Setting Up the Qualys WAS Connector

Navigate to the Automate > Integrations page.

Navigation - Automate - Integrations

Using the search bar in the upper-right corner of the Integrations page, type Qualys to find the connector.

Qualys WAS Connector - Search for Qualys

Locate the Qualys WAS card under Applications and click Configuration.

Qualys WAS Connector - Qualys WAS Configuration Button Location

In the new window under Connection, complete the required fields, as described below.

Qualys WAS Connector - Connection Window

  • Name: The connector’s name.
  • URL: Qualys WAS URL (i.e., https://qualysapi.qg2.apps.qualys.com/)
  • User Name: The user name that has access to Qualys WAS.
  • Password: The password associated with the username.
  • Network: RiskSense network name (ingested applications associated with this network).
  • Qualys Was Report Title Prefix: (Optional) The prefix of the specified reports the user wishes to pull. If no prefix is provided, the API connector will pull all available reports.

Click Test Credentials to verify the credentials are correct and have access to make API calls to the Qualys WAS instance.

Qualys WAS Connector - Test Credentials Button

If your Qualys WAS instance uses whitelisting, contact RiskSense Support to get the whitelisting IPs.

Configure the desired schedule for the connector to retrieve results from the Qualys WAS instance and optionally turn on Enable auto URBA (Update Remediation by Assessment). User may specify the oldest scan data pull from the following options: 30 days, 60 days, 90 days, 6 months, or 1 year.

Qualys WAS Connector - Oldest Scan Pull

Click Save to create the connector.

Qualys WAS Connector - Save Connector

Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

Qualys WAS Connector - Currently Configured Qualys WAS

On the Settings > Uploads page, Qualys WAS data is parsed from the scan file and displayed on the Applications and Application Findings pages.

Qualys WAS Data Mapping in RiskSense

The Scanner Name associated with these scans is QUALYS, which can be used as a filter on both the Applications and Application Findings pages in RiskSense.

Applications Page

Application data extracted from the Qualys WAS scan file is shown on the Applications page as an asset.

  • Address
  • URLs
  • Vulnerability Counts by Severity
  • Last Scan Date
  • Operating System

Qualys WAS Connector - Applications Page

Application Findings Page

All finding data extracted from the Qualys WAS scan file is shown on the Application Findings page in RiskSense.

  • Findings that are “Ignored” will not be displayed in the Application Findings view
  • Request/Response is listed under Detailed Information
  • Additional Metadata Fields:
    • Source Status (Authentication Required, Authentication Not Required)
    • Vulnerability Type (Confirmed Vulnerability, Potential Vulnerability, Information Gathered)
    • Parameter Type
    • OWASP 2017, WASC, CWE

Qualys WAS Connector - Application Findings Page

Severity Mapping

The Qualys WAS scan file contains severity levels ranging from 1 to 5. Based on the type of plugin, RiskSense mapped these levels to Severity using the CHMLI scale as follows:

Qualys WAS Plugin Severity Mapping to RiskSense Severity using CHMLI Scale
Plugin Type: Confirmed Vulnerability or Vulnerability
1 Low
2 Medium
3 High
4 Critical
5 Critical
Plugin Type: Potential Vulnerability
1 Low
2 Medium
3 High
4 Critical
5 Critical
Plugin Type: Information Gathered
1 Low
2 Low
3 Low