Qualys Announces UI For VM Services, Upgrades Web Application Scanning Service

Qualys has announced a new user interface to streamline management of its QualysGuard suite of vulnerability management and compliance software-as-a-service (SaaS) offerings. Qualys also announced general availability of version 2 of its Web Application Scanning Service (WAS) and a new release of its Consultant Edition.

The new UI will make it much easier to access and navigate the various QualysGuard services, says Amer Deeba, chief marketing officer. Users will see a common interface whether the source of the data is external or internal scans, or cloud-based assets. The aim is to streamline workflow and provide a unified look and feel across the services.

A key new feature is dynamic, context-based administration according to user role and asset identity. QualysGuard features the ability to assign tags to any user or asset, from devices to applications, providing highly granular and automated role-based access control. New assets can be assigned automatically according to policy. For example, if a new Microsoft IIS server is added, it would be assigned to the admin(s) responsible for IIS vulnerability management. Or, a new application could be assigned to the appropriate security and/or development personnel.

Qualys says the UI will facilitate migration to the new platform for QualysGuard IT Security and Compliance SaaS Suite, which was announced at RSA in February. The UI is available in beta and is expected to be available for general availability before the end of the year.

Version 2 of WAS is designed to perform rapid and highly scalable (Deeba mentions one customer with some 50,000 apps) discovery and application vulnerability scanning across an enterprise. "WAS uses the power and scalability of the cloud to discover and scan applications in an automated way," Deeba says. "It’s an industrial-level tool."WAS 2.0 uses the dynamic tagging common to the QualysGuard suite to provide information prioritizing remediation based on factors such as asset criticality, threat level and the type of vulnerability (cross-site scripting, SQL injection, and so on), as well as the capabilities and workflow required to fix the flaws or put mitigating controls in place. Among those controls are integration with Web application firewalls (Imperva and Qualys' own WAF so far).

The service provides data to a WAF in front of the application to enact rules that block attacks against known, unremediated vulnerabilities. WAS 2.0, the first service to be fully integrated with the new QualysGuard platform, has been in beta since April and is available now.

The Consultant Edition features a virtual scanner, vScanner, now available in beta, providing flexibility in where and how consultants provide their vulnerability management services. Consultant Edition provides highly customizable, dynamic reports that can be generated on the fly for clients.

vScanner is tightly integrated with exploit tools such as Metasploit and Core Security. It also allows consultants to create custom libraries of controls and build services around them. Consultant Edition integrates with leading governance, regulatory and compliance products, including RSA Archer, Modulo and Rsam.

See more on this topic by subscribing to Network Computing Pro Reports Research: 2011 Strategic Security Survey (subscription required).