QualysWAS Connector

Qualys Web Application Scanning (WAS) is a cloud-based service that provides automated crawling and testing of custom web applications to identify vulnerabilities including cross-site scripting (XSS), SQL injections, and more.

Application Security Module users can use the QualysWAS Connector to import web-application scan information into Cisco Vulnerability Management to assist in reducing risk across applications.

Platform support:

Currently, Cisco Vulnerability Management supports the following QualysWAS Regions:

  • Qualys cloud: US1, US2, US3, EU1, EU2, Qualys Canada, and Qualys India

Prerequisites

  • You must have API access.

  • You must manually log in to Qualys once to complete registration.

  • Cisco Vulnerability Management will "see" whatever the Qualys user account can access

Configuring Your Qualys Connector in Cisco Vulnerability Management

1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Dynamic Assessment section, click QualysWAS.QualysWAS-Connector-02.png

4. On the QualysWAS page, enter the following information:

lmj.png

  • Name: Enter a name for the connector, or leave it as QualysWAS.

  • Region: Select the POD/Region that your instance resides on.

  • Username and Password: Enter your username and password

  • Schedule: Select the frequency that you’d like your Connector to run. (Cisco recommends mirroring the cadence of your Connector.

  • Asset Inactivity Limit: Enter a time in days for the connector level asset inactivity limit. Cisco recommends 2-3 times the scan cadence of your connector scans.

5. Click Save and Verify.

What QualysWAS items are synced with Cisco Vulnerability Management items?

QualysWAS Field

Cisco Vulnerability Management Field

Notes

finding > webApp > name

Application identifier

Search for Application identifier in Cisco Vulnerability Management  by using the custom query box and typing application:""

finding > url

URL

 

source_asset_id

External ID

 

root > os

Operating System

 

N/A

Vulnerability Status

Vulnerability status is Open or Closed. We do not map False Positives or Triage States. Open vulnerabilities are reported in application scan reports. Closed vulns are excluded from the report, and Cisco Vulnerability Management autocloses those vulnerabilities.

Reference

Vulnerability Name

 

finding > severity

scanner_score

 1-5

qid

CWE

 

qid

WASC ID

As relevant. Some QIDs will bring WASC items.

Fix Hash > solution

Solution

 

Fix Hash > diagnosis

Description

 

firstDetectedDate

Found On

 

lastDetectedDate

Last Seen

 

Tag Node
'Source Asset-Application Name'

Tags**

These items are turned into Tags in Cisco Vulnerability Management.

 

Which QualysWAS Items Does Cisco Vulnerability Management Leave Out?

  • **Hierarchical tags on WAS are not automatically passed over via the API calls that Cisco Vulnerability Management makes to QualysWAS.
    • Unlike the QualysGuard connector where the additional 'Tags' endpoint was used to fetch hierarchical tags (normal asset tags come over from Hosts endpoint), QualysWAS does not auto-import Hierarchical Tags. 
    • If you want Hierarchical tags to be passed along, they will need to be manually applied to the applications themselves in QualysWAS. Cisco Vulnerability Management will then pick these up as normal Tags. 
  • Custom Fields 
    • Cisco Vulnerability Management does not import custom field information

 

What API Calls Are Involved?

The API endpoints that Cisco Vulnerability Management leverages are:

qps/rest/3.0/count/was/webapp

host:port/qps/rest/3.0/search/was/wasscan

host:port/qps/rest/3.0//download/was/wasscan/{scan_id}

 

Optional Settings

The following settings can be enabled on the backend for QualysWAS Connectors. To get these settings enabled or for more information, contact your Customer Experience (CX) team.

Exclude Non-Exploitable Vulnerabilities

When you enable this option, vulnerabilities that are not exploitable due to configuration will not be imported.

Exclude Informationals

When you enable this option, Cisco Vulnerability Management will only import vulnerabilities that include a CVE, CWE, or WASC ID.

Filter Potential Vulnerabilities

When you enable this option, Cisco Vulnerability Management will not import potential vulnerabilities.

Skip Tags 

This setting enables you to not create any Tags in Cisco Vulnerability Management  based on the scanner metadata.

Ignore Scanner Last Seen Time

Select this setting if you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.

Tag Reset

This setting assists you with keeping your scanner metadata synchronized with Cisco Vulnerability Management. Each time the connector is run, all tags in Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.

If you have created any manual tags or any tags were created from metadata from other connectors, that tag information will be removed and will be refreshed once those other connectors are rerun.

Custom Ordered Locators

Locators (such as IP, Netbios, and FQDN) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information, see the help article here.

Common Reasons for QualysWAS Connector Failures:

  • Bad Credentials. If you enter the incorrect connector credentials during the connector setup, Cisco Vulnerability Management will not have access to the environment to make the API calls.
  • If no reports are found, Cisco Vulnerability Management will abort the Connector run, rather than fail it outright.
  • If an API call fails (no data available, or other reasons).
  • If Cisco Vulnerability Management receives data that is not in the expected format and cannot process it, the connector will fail.
  • If more than 1% of connector payloads fail to import cleanly, Cisco Vulnerability Management will auto-fail the Connector run.
  • Uncommon reason: if your QualysWAS License is a trial license, Cisco Vulnerability Management may run into API blocks and subsequently import 0 records. Cisco Vulnerability Management will contact the API, but will return zero records even if there is data present. To solve this you will need to have your deployment upgraded to a regular subscription to prevent data in the platform from being overwritten with 0-payload connector runs.

Additional Assistance

Contact Support if you require any additional assistance with the QualysWAS Connector.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.