1.
Will
Bechtel
Director
of
Product
Management
-­‐
WAS
Steve
McBride
Director
of
Product
Management
–
WAF
Qualys
Inc.,
April
2014
QualysGuard
Web
Applica@on
Security
Transforming
IT
Security
&
Compliance

2. DETECTION
PREVENTION
REMEDIATION
FORENSICS
WebAppScanning MalwareDetection
WebApplicationFirewall
Exploits
BURPSuiteSourceCode
Log Analysis
WEB APPS
Qualys
Strategy
for
Web
App
Security
• Detec@on
– WAS,
MDS
• Protec@on
– WAF
(GA
3/2014)
• Monitoring/Forensics
– Log
Analysis
(Beta
Q4/2014)
• Remedia@on
– Interac>ve
Tes>ng
Tools*
– Remedia>on
Workflow*
– SCA
Correla>on*
2
*Services in development

3. DETECT
ANALYZE
PROTECT
COMPLY
Discovery Catolog
VulnAppScanningMalwareDetection
WebAppFirewall PCI OWASP
WEB APPS
Benefits
of
QG
WAS
Approach
QualysGuard
plaHorm
delivers
integrated
soluJons
• Distributed
Scanning
– Cloud/Internal/Virtual
• Highly
Automated
– Integrated
Browser
• Accurate
– Low
False-­‐PosiJve
Rate
• Integrated
– Reuse
QA
Selenium
FuncJonal
TesJng
Scripts
3

4. Uses
the
Extensible
QG
Cloud
PlaHorm
4
Expanding
to
Real-­‐Time
Big
Data
and
CorrelaJon

5. QG
WAS
SoluJon
QG
WAS
does
for
Web
Apps
what
QG
VM
does
for
devices
5
Automated
and
conJnuous
cycle
Web
Applica@ons
MiJgate
Discover
and
Catalog
Remediate
and
Audit
RI
SK
IdenJfy
VulnerabiliJes

6. QG
WAS
Today
Best
PracJces
Scanning
SoluJon
• Collabora@on
– Involve
all
the
ApplicaJon
Stakeholders
• Ease
of
Use
– Dashboard/Wizards/Context
sensiJve
• Vulnerability
Metrics
– Tag
based
reporJng
– Configurable
Formats
6

7. QG
WAS
+
MDS
Integrated
Website
Malware
Monitoring
–
Completed!
• Malware
Protec@on
– Safeguard
your
website
users
and
brand
reputaJon
• 4
Detec@on
Techniques
– AnJvirus
–
for
documents
– HeurisJc
– ReputaJon
– Behavioral
• Addresses
– Zero
Day
Risk
7

8. QG
WAS
A_ack
Proxy
IntegraJon
–
Phase
1
–Completed!
• Store
and
manage
– Burp
scan
data
– Share
safely
• Act
on
Burp
scan
findings
– Associate
with
web
app
– Mark
as
risk
accepted,
etc
– Filter
based
on
a_ributes
8

9. QG
WAS
Sitemap
implementaJon
–
Completed!
• Visually
Navigate
Site
– Drill
in/Drill
Out
– Issue
counts
at
each
level
– Filter
• Ac@ons
– Create
new
web
app
– Black
list
– White
list
9

10. QG
WAS
DirecJons
in
2014
Full
Web
App
TesJng
SoluJon
• Addi@onal
Interac@ve
Tools
Support
(Burp/ZAP)
– Store
Manual
Findings
– Trend/Report
with
Automated
findings
– Complete
Web
App
TesJng
Picture
– Send
WAS
A_ack
Requests
to
a_ack
proxies
• Remedia@on
Workflow
• SCA
Correla@on
10

11. WAS
Roadmap
WAS 3.3
Q2 2014
• Bulk Update
• Update info across
multiple web apps
• Easy to make partitioned
or global changes
• Supports changing one or
many attributes
• Ignore sensitive content
findings
• Cancel scans in schedule
status
• Check report quotas
WAS 3.4
Q3 2014
• Multi Scan/Schedule
• Manages large scale scan
jobs
• Scan jobs batched by tags
• Groups scan data by job
WAS 3.5
Q4 2014
• Scheduled Reporting
• Send on scheduled basis
• Users sent link to report
• Report Templates
• Save report options as
report template.

12. QG WAS Customers:
• Deploy
virtual
patches
to
WAF
using
the
vulnerabiliJes
idenJfied
in
WAS
– WAS
already
supports
Imperva,
F5,
Citrix,
Beeware
• Combine
WAS
and
MDS
scanning
of
sites
• WAF
to
provide
WAS/MDS
with
site
resource
structure
to
ensure
complete
scanning
coverage
WAS
VM
QualysGuard
PlaHorm
SoluJons
Seamless
integraJon
with
other
Qualys
services
12
MDS
WAF
LM

13. How
OrganizaJons
Leverage
WAS
MicrosoY
• BUSINESS
CHALLENGE
– Assess
the
security
of
thousands
of
web
apps/
short
turn
around
@mes
– h_p://www.qualys.com/customers/success-­‐stories/reigning-­‐in-­‐global-­‐
web-­‐applicaJon-­‐security-­‐risk-­‐at-­‐microsoi/
• WHY
THEY
CHOSE
QUALYSGUARD
– Proven
more
accurate
than
other
web
applica@on
scanners
– Comprehensive
reports
-­‐
acJonable
informaJon
– A
highly
accurate,
extensive
database
of
up
to
date
security
checks
– Easiest
to
use
13

14. 14

15. Why
do
we
win?
• Strengths
– Scale
(We
can
easily
handle
about
10000
apps
in
a
subscrip@on)
– Most
are
seat
licensed
and
installed
in
the
enterprise
(High
TCO)
– Data
Correla@on,
single
dashboard
for
DAST
ac@vi@es
– Not
one
at
a
Jme
events,
correlaJon
done
by
default
– Cost,
per
app
pricing
beats
out
seat
licenses
for
most
compe@tors
– No
longer
have
to
make
the
choice
of
what
to
scan
– TAM,
we
don’t
sell
and
walk
away!
– Our
people
make
a
huge
difference.
We
make
the
customer
successful!
15
WAS Benefits
Integration with QualysGuard Platform
Reduced TCO
Scan Everything

16. Total
Cost
of
Ownership
(TCO)
• Understanding
the
components
for
AppSec
– People
– Keeping
it
simple,
$140,000
salary
+
benefits
– Able
to
complete
~40
ApplicaJon
Assessments
per
year
– Tools
– A_ack
Proxy
– Legacy
ApplicaJon
Scanner
with
maintenance
and
a
server
to
run
it
on
$10,000
• TCO
=
Total
Cost/Total
Produc@vity
– 150,000/40=
$3750
Per
ApplicaJon
16

17. Why
do
we
lose?
• Improvement
Opportuni@es
– Head
to
Head
comparisons
against
known
vulnerable
apps
– We
don’t
play
that
game.
Don’t
let
them.
– Difficult
to
manage
at
scale
– Bulk
Edits
and
Scans
are
coming
soon.
– Technologies
we
don’t
support
– Adobe
Flash,
Oracle
Java,
Silverlight
etc
…
(appx
3%
of
sites
on
the
Internet)
– OTHERS???
17

18. WAS
ASV
Growth
-­‐
Aggregate
18

19. WAS
Subscriber
Growth
-­‐
Aggregate
19

20. Summary
• Most
scalable,
automated
and
cost
effecJve
DAST
soluJon
on
the
market
today.
• QualysGuard
plaHorm
integrates
web
applicaJon
security
into
the
enterprise.
20

21. 21
Web
Applica@on
Firewall
GA
announced
at
RSA
2014
3/2014

22. Are
everywhere.
Web
ApplicaJons
HTTP
Powers
Your
Business
Do
everything.
HTTP

23. Why
worry
about
web
applicaJons?
“99%
of
all
applicaJons
tested
in
2012
have
one
or
more
serious
security
vulnerabiliJes.
And
with
a
median
number
of
vulnerabili@es
per
app
of
13,
it’s
no
wonder
that
applicaJon-­‐level
a_acks
are
a
focus
for
hackers.”
“Only
13%
complied
[with
the
OWASP
Top
10]
on
first
submission.”

24. We’re
vulnerable.
Now
what?
Suto,
Larry,
Analyzing
the
EffecJveness
of
Web
ApplicaJon
Firewalls,
Nov.
2011.
h_p://www.slideshare.net/lbsuto/analyzing-­‐
the-­‐effecJvess-­‐of-­‐web-­‐applicaJon-­‐firewalls
TEKSystems
Network
Services.
h_p://www.teksystems.com/resources/pressroom/2013/teksystems-­‐cyber-­‐security-­‐month.
“WAF
solu@ons
must
be
tuned
by
a
trained
professional.”
(Suto,
4)
“Only
15%
were
very
confident
they
have
security-­‐related
skill
sets…”
“Half
of
respondents
believe
the
lack
of
qualified
security
talent...”

25. what
if
I
had…
• Adap@ve,
responsive
security
that
updates
itself
• Near-­‐immediate
deployment
• Minimal
administra@ve
overhead
• No
security
exper@se
required
• Mul@ple
architectures

26. Qualys
Approach
Always
the
best
protec@on
Qualys
WAF
expert
security
ruleset
is
built
and
maintained
by
dedicated
security
researchers
based
upon
the
latest
intel
and
trends
across
the
Qualys
customer
base.
WAF
sensors
self-­‐
update
with
latest
soiware
and
rules.
Scalable
Deploy
as
many
WAF
sensors
as
you
need,
on
mulJple
datacenter
and
Cloud
plaHorms
Manage
your
protected
sites,
WAF
clusters,
and
security
events
from
a
single
UI
26

27. Integrated
in
QualysGuard
Automated
setup
from
WAS
QualysGuard
WAS
and
WAF
share
informaJon
about
web
sites
and
their
weaknesses,
speeding
deployment
of
personalized
security
policies.
Correlated
events
QualysGuard
WAS
and
VM
can
conJnuously
scan
your
sites
to
find
vulnerabiliJes
WAF
sensors
bring
visibility
to
live
threats
27

28. Single
SaaS
Administra@on
Point
Enforcement
Points
As
Needed
Qualys’
Distributed
SoluJon
28
WAF
WAF
WAF
WAF
QualysGuard
Cloud
PlaHorm
WAF
WAF

29. SoluJon
Architecture
29
WAF
WAF
WAF
WAF
“clean”
traffic

30. Reverse
Proxy
OperaJon
• Direct
traffic
to
WAF
– DNS
– Load
Balancer
ConfiguraJon
• WAF
sensor
inspects
all
traffic
and
forwards
to
origin
• Server
responses
are
inspected
upon
egress

31. Security
Ruleset
31
SQL
Injection
Cross Site
Scripting
Information
leakage
Command
Injection
Remote File
Inclusion
LDAP
Injection
SSI Injection
Xpath
Injection
Local File
Inclusion

32. Three-­‐Step
ConfiguraJon
Define
your
Site
Shared
site
profile
with
WAS
Associate
a
WAF
(cluster)
Associate
a
Security
Policy
32

33. Building
a
Security
Policy
Built
around
expert
rules
for
known
threats
User
adjusts
sensi@vity
according
to
their
business
context
and
tolerance
33

34. Defining
and
Deploying
a
WAF
Cluster
Give
it
a
name
Copy
your
“personaliza@on
code”
Paste
the
code
when
deploying
your
appliances
34

35. Available
for
mulJple
plaHorms
35
Amazon
EC2
-­‐
GA
VMware
vCenter
-­‐
Beta
Exchange
&
Sharepoint
Edi>on
(TBD)
MicrosoD
Hyper-­‐V
and
Azure
(H2
2014)
New
HW
Appliance
?

36. Pricing
• Priced
per
Applica@on
protected
– Includes
2
virtual
appliances
• Express
Lite
–
Starts
at
1,995
EUR
for
one
applicaJon
• Express
–
Starts
at
2,995
EUR
for
one
applicaJon
• Enterprise
– Starts
at
9,995
EUR
for
one
applicaJon

37. WAF
Roadmap
WAF 1.1 (Portal 2.4)
Q2 2014
• VMware image provisioning
• Support for non-standard
HTTP ports
• Workflow improvements (site
and policy components)
WAF 1.2 (Portal 2.5)
Q3 2014
• UI improvements
• Tab management on event
pages
• Improved dashboard
functionality
• Improved SSL certificate
support
• Improved appliance support
and support for additional
virtualization platforms
WAF 1.3 (Portal 2.6)
Q4 2014
• WAS Results influence WAF
security engine
• Support for customized
block pages
• Improved visibility into
appliance networking and
troubleshooting

38. Thank You
wbechtel@qualys.com
smcbride@qualys.com
fcatucci@qualys.com
ConJnuous
Security