Qualys Web Application Scanning

Qualys Web Application Scanning (WAS) is an application security tool that assesses your web applications for vulnerabilities. You can bring application and security data from Qualys WAS into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Qualys WAS and how to obtain that information from Qualys. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Qualys Web Application Scanning from the Connector drop-down. You must provide the following information to authenticate Qualys WAS with Brinqa:

• API Server URL: The Qualys API Server URL. For information on how to determine your Qualys API URL, see Qualys documentation.

• Username and Password: The username and password associated with the Qualys user, which must have permissions to log in to the API server and return data.

Create a Qualys user

To ensure the user account that the Qualys WAS connector uses to access the Qualys server has the appropriate permissions, follow these steps.

1. Log in to your organization's Qualys server.

2. Navigate to Users, and then select the Users tab.

3. Click New and select User. The New User dialog displays.

4. Fill out the general information.

5. Click User Role on the left menu.

   • From the User Role drop-down, select Reader.

   • Select GUI and API to enable API access, and leave Business Unit Unassigned.

6. Click Asset Groups.

   • From the Add asset groups drop-down, select All.

7. Click Permissions and select all of the available permissions.

8. Click Options to modify the notification options as needed.

9. Click Save.

The new Qualys user with appropriate permissions to retrieve data displays on the Qualys Users page.

If you do not wish to create a new Qualys user, you can leverage an existing user with the appropriate permissions.

note

If you do not have permissions to create a new Qualys user, contact your Qualys administrator. For additional information, see Qualys documentation.

Additional settings

The Qualys WAS connector contains additional options for specific configuration:

• Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.

• Parallel requests: The maximum number of parallel API requests. The default setting is 2.

• Maximum retries: The maximum number of times that the integration attempts to connect to the Qualys WAS API before giving up and reporting a failure. The default setting is 5.

Types of data to retrieve

The Qualys WAS connector can retrieve the following types of data from Qualys:

Table 1: Data retrieved from Qualys WAS

Connector Object	Required	Maps to Data Model
Application	Yes	Application
Finding	Yes	Dynamic Code Finding
Vulnerability Definition	Yes	Dynamic Code Finding Definition

info

For detailed steps on how to view the data retrieved from Qualys WAS in the Brinqa Platform, see How to view your data.

Operation options

The Qualys WAS connector supports the following operation options. See connector operation options for information about how to apply them.

Table 2: Qualys WAS connector operation options

Connector Object	Option	All Possible Values	Description	Example
Application	updatedDate	Any date and time value in the UTC format.	You can use this option to return all applications that were last updated on the specified date.	Key: updatedDate Value: 2023-07-01. This key and value combination only retrieves applications that were last updated on July 1st, 2023.
Finding	lastDetectedDate	Any date and time value in the UTC format.	You can use this option to return all findings that were last detected in your web applications by the specified date.	Key: lastDetectedDate Value: 2023-07-01T00:00:00Z. This key and value combination only retrieves findings that were last detected on July 1st, 2023, at midnight UTC.
	severity	1, 2, 3, 4, 5	A comma-separated list of finding severities. You can use this option to return all findings with the specified severity as determined by Qualys.	Key: severity Value: 4,5. This key and value combination only retrieves findings of severity 4 and 5.
	status	ACTIVE, FIXED, NEW, REOPENED	A comma-separated list of finding statuses. You can use this option to return all findings with the specified status as determined by Qualys.	Key: status Value: ACTIVE,REOPENED. This key and value combination only retrieves active and reopended findings.
Vulnerability Definition	ids	Any Qualys WAS vulnerability ID.	A comma-separated list of vulnerability IDs. You can use this option to return all vulnerabilities with the specified ID.	Key: ids Value: 316693,105484. This key and value combination only retrieves vulnerabilities associated with IDs 105484 and 316693.

note

The option keys and values are case-sensitive as they are shown in this documentation.

APIs

The Qualsy WAS connector uses Qualys WAS API v3. Specifically, it uses the following endpoints:

Table 3: Qualys WAS API Endpoints

Connector Object	API Endpoint
Application	GET /qps/rest/3.0/get/was/webapp/{id}
	POST /qps/rest/3.0/search/was/webapp
Finding	POST /qps/rest/3.0/search/was/finding
Vulnerability Definition	GET /api/2.0/fo/knowledge_base/vuln/

Changelog

The Qualys WAS connector has undergone the following changes:

5.1.12

• The Vulnerability Definition connector object now maps to Dynamic Code Finding Definition.

5.1.11

• Updated dependencies.

5.1.5

• Added checks for null Common Vulnerability Scoring System (CVSS) vectors.

5.1.3

• Updated to trim trailing spaces from the CVE IDs present in certain vulnerability definitions.

5.0.18

• Added a SEVERITY_SCORE attribute in the Vulnerability Definition object.

5.0.14

• Added UID as identifier for all connector objects.

5.0.13

• Replaced the CATEGORY attribute with CATEGORIES in all connector objects.

5.0.4

• Replaced Finding Definition with the Vulnerability Definition object.

5.0.3

• Initial Integration+ release.