This article describes how to configure the platform to import Web Application Reports from Qualys WAS. The details below describe how the platform can automatically retrieve reports from Qualys WAS.
| Table of Contents | ||
|---|---|---|
|
Introduction
The Platform’s API support for Qualys WAS allows web application scan results to be retrieved based on Web Application Reports.
...
Once saved, the platform will periodically query the Qualys VM API and identify new WAS reports that match the given criteria defined in the Project’s Auto Importer settings.
Auto Importing Multiple Web Applications from Qualys WAS
It is recommended that Qualys WAS Web Application Reports are used when the scan results from multiple web applications must be automatically imported into the Platform at once.
For example, assuming three web applications are scanned on a monthly basis in Qualys WAS, and the results from each monthly scan need to be imported into a single Project in the Platform, the most efficient way to achieve this is to generate a Web Application Report in Qualys WAS, and have the Platform automatically import this Web Application Report into the relevant Project.
Since the scope of a Qualys WAS Web Application Report can include one or more web applications, when imported into the Platform, the results displayed in each of the Project’s Phases will also include every web application as a separate asset as well as each application’s associated issues (vulnerabilities).
An example setup between Qualys WAS and the Platform could be as follows:
In Qualys WAS, create each web application and apply a tag to each application. This tag can be used in the Web Application Report’s scope.
In Qualys WAS, schedule the web applications to be scanned on 1st of each month. When choosing which applications to include in the scan schedule, use the tag create in Step 1.
In Qualys WAS create and schedule a Web Application Report to run on the 2nd of each month. When configuring the scheduled report in Qualys WAS:
Use a Schedule Report Name that can be uniquely identified.
Ensure the scope of the report uses the tag as defined in Step 1 above when the applications were being added to Qualys WAS
Ensure the report type is set to Web Application Report
| Note |
|---|
The schedule used for generating the Web Application Report must allow sufficient time for all in-scope web application scan tasks to complete. Otherwise, if a scheduled report is generated whilst a web application is actively being scanned, the report will not include the latest vulnerabilities. |
In the Platform, configure a Project’s auto-import settings such that the “Scan Identifier” value matches the name of the Schedule Scan report in Qualys WAS, as applied above in Step 3a
The steps above call out the key configuration points to achieve automatic importing scan results into the Platform.