This article describes how to configure the platform to import Web Application Reports from Qualys WAS. The details below describe how the platform can automatically retrieve reports from Qualys WAS.

Introduction

The Platform’s API support for Qualys WAS allows web application scan results to be retrieved based on Web Application Reports.

When Qualys WAS reports have been created in Qualys WAS, the platform can use the Qualys API to enumerate these reports and retrieve their underlying XML data.

Reports from Qualys WAS must be of the XML format and be of type “Web Application Report”

Configuring Auto Import in Platform

When editing a Project in the Platform, the Project’s Service Type must be set to “Managed Vulnerability Scanning” and the “Auto Import” feature must be enabled in the project’s settings. In doing so, an “Auto Importer” section appears where auto imports can be defined:

Open

WAS Reports in Qualys are identified by the Platform using their Report Name. This is necessary so that the Platform can periodically connect to the Qualys API, enumerate WAS Reports (of type Web Application Report) and retrieve the relevant report with a [partially/fully] matching name:

Open

In the Platform, an Auto Import rule must be defined where the “Scan Identifier” field contains a value that partially or fully matches the Report Name from Qualys WAS.

In the below example, note that the “Scan Identifier” field is set to the name of the report taken from Qualys WAS.

Open

When all necessary fields have been populated in the “Manage Project Scanner” window, click Submit and this will commit the auto import settings to the project.

Please ensure you then click “Save” in the project’s settings to commit the settings to the platform properly:

Open

Once saved, the platform will periodically query the Qualys VM API and identify new WAS reports that match the given criteria defined in the Project’s Auto Importer settings.

Auto Importing Multiple Web Applications from Qualys WAS

It is recommended that Qualys WAS Web Application Reports are used when the scan results from multiple web applications must be automatically imported into the Platform at once.

For example, assuming three web applications are scanned on a monthly basis in Qualys WAS, and the results from each monthly scan need to be imported into a single Project in the Platform, the most efficient way to achieve this is to generate a Web Application Report in Qualys WAS, and have the Platform automatically import this Web Application Report into the relevant Project.

Since the scope of a Qualys WAS Web Application Report can include one or more web applications, when imported into the Platform, the results displayed in each of the Project’s Phases will also include every web application as a separate asset as well as each application’s associated issues (vulnerabilities).

An example setup between Qualys WAS and the Platform could be as follows:

1. In Qualys WAS, create each web application and apply a tag to each application. This tag can be used in the Web Application Report’s scope.

2. In Qualys WAS, schedule the web applications to be scanned on 1st of each month. When choosing which applications to include in the scan schedule, use the tag create in Step 1.

3. In Qualys WAS create and schedule a Web Application Report to run on the 2nd of each month. When configuring the scheduled report in Qualys WAS:

   1. Use a Schedule Report Name that can be uniquely identified.

   2. Ensure the scope of the report uses the tag as defined in Step 1 above when the applications were being added to Qualys WAS

   3. Ensure the report type is set to Web Application Report

4. In the Platform, configure a Project’s auto-import settings such that the “Scan Identifier” value matches the name of the Schedule Scan report in Qualys WAS, as applied above in Step 3a

The steps above call out the key configuration points to achieve automatic importing scan results into the Platform.