Qualys WAS-Cybersecurity Application Scanner Overview
The Cybersecurity Application Scanner makes application security testing simple and effective. Developed by the DoIT Web and Mobile Solutions (WaMS) team in collaboration with the Office of Cybersecurity, this easy-to-use tool streamlines web application vulnerability scanning. Powered by the Qualys WAS API, the scanner hides the complexity of traditional scan configuration, offering a simplified interface that reduces setup time and training requirements. With its intuitive design, the Cybersecurity Application Scanner enables teams to identify and address security issues quickly—without needing deep expertise in scan configuration.
About the Tool:
The Cybersecurity Application Scanner packages the two most common scans into a simplified interface. A reliable, general-purpose configuration is thus provided. All you need to do is to log in with your campus ID and go to “Tutorials” under the Help section. Step-by-step instructions will show you the following:
- Create an application - Creating general profile information about your target application.
- Add a new environment - Configuring the URL, environment type, authentication type, etc.
- Add a scan request - Specifying the scan type, scanner type, and scan date/time.
Types of Scans:
Discovery scans map the site. Sometimes called “crawling” or “spidering,” the scan follows links within the site and can identify test pages and back doors that a developer needs to remove before the site goes live. You can also use the results to reduce clutter and improve site quality along with security. Discovery scans can detect some types of vulnerabilities but do not run test attacks, which makes this type of scanning safe and light.
Vulnerability scans run tests dynamically and include many of the same tests that an ethical hacker might run by hand. This can damage a vulnerable site, so it should be used in test environments when possible. It is important to note that you should back up all data prior to scanning, including test data if it will be needed later. Users should read the rules of responsible scanning under the Terms of Use tab in the Cybersecurity Application Scanner dashboard.
Cybersecurity Application Scanner is offered at https://www.appscanner.cybersecurity.wisc.edu/ and is available to University of Wisconsin - Madison employees and its affiliates who have a valid NetID and a full-time appointment.
Please note that there are basic guidelines to follow.
- Only scan assets that are under your authority and control.
- Scan in a test environment to avoid impact.
- Contact your web site hosting service provider and other stakeholders prior to your scanning.
- Both CSOC and NOC are authorized to cancel a scan at any time.
- We strongly recommend taking a database backup prior to scanning.
Questions? Email us at cybersecurity@cio.wisc.edu to learn more.