Qualys Web App Scanning Connector

Working & Behaviour

The Azure DevOps extension helps integrate the Azure Pipelines CI/CD tool with the Qualys Web Application Scanning (WAS) Module. This extension will empower DevOps teams to build application vulnerability scans into their existing Azure pipeline tasks. By integrating scans in this manner, application security testing is accomplished earlier in the SDLC to catch and eliminate security flaws. The extension can be configured to fail or pass the builds based on the vulnerabilities detected. The extension will also generate a report for the scan in the build. The current version of the extension will only support the cloud-based Azure DevOps Setup.

Add "Scan Web Applications with Qualys WAS" task to pipeline

Install the Qualys Web App Scanning Connector extension into your Visual Studio Team Services account and search for the task in the available tasks. The task will also appear in the Utility section of the task list. Add it to your build/release pipeline.

Note: Qualys Web Application Scanning Connector for Azure DevOps supports only one Qualys WAS task in the Build pipeline and the Release pipeline with one or more stages.

Task Configuration

Qualys Configuration using Service Connection

Create a new service connection to connect to the Qualys API server. You need to provide the API Server URL, API user, and password. If your Azure DevOps instance does not have direct Internet access and a proxy is required, click the "Use Proxy Settings" check box, and enter the required information.

Launch Scan API Parameters

These are the parameters that the Launch Scan API requires to launch the scan:

• Scan Name: Input text field for scan name to Launch scan.
• WebApp ID: Dropdown box with all the available Web App names fetched from Qualys account.
• Type: Dropdown box with values – “DISCOVERY” and “VULNERABILITY”. The default value would be “VULNERABILITY”.

Optional Parameters

• Authentication Record (Optional)
• Option Profile (Either default or provide at configuration)
• Cancel Options (Optional)

Build Failure Conditions

The build will fail when ANY of the selected conditions are met

• Count of Vulnerability for a Severity level - Count of vulnerability for a Severity level above which the build will fail. For eg: Fail if the count of Severity 1 vulnerbailities is more than 1.
• QIDs - A comma-separated list of QIDs to be checked in the vulnerabilities scan result. It can be a simple comma-separated list of QIDs or a range of QIDs. For example, 179203,2331497,170560-170590
• WAS could not scan the Web App - If this option is checked and the WAS module is not able the scan the web application then the build will fail.

Timeout Settings

This involves the polling interval and the timeout period

• Polling interval - How often to check for the scan result in minutes. It is the time to wait between subsequent API calls. This can be set as a number (in minutes) or an expression like these: 2*60 = 2 hours. The default value is 5 minutes.
• Timeout period - How long to wait for the scan result in minutes. The Qualys task will end after the timeout period. This can be set as a number (in minutes) or an expression like these: 260 = 2 hours. The default value is 6024 minutes.

Report

The Report that we render on the "Qualys WAS Scan Result" tab is produced using some artifacts that we generate during the extension execution. The artifacts involve the complete API output result for the web application, results summary*,* and pass/fail criteria summary along with the Vulnerabilities Doughnut chart. We show the criteria evaluation table as a summary of all the build failure criteria which were configured or not configured and their respective result as pass/fail.

The report will only be generated once the scan is finished regardless of the build failure conditions.

For release workflow, the report will be generated in the old view section of Release.

Release Notes

v1.2.0 -To populate the Web applications, Option profiles and Authentication records, 'POST' API calls were made, for which PCA (Project Collection Administrator) level Azure DevOps user permissions were needed. Now, Qualys Web Application scanning connector for Azure DevOps makes 'GET' API calls via Service Connection that does not require PCA (Project Collection Administrator) level user permissions.

v1.1.1 -BugFix: Report rendering issue when multiple steps are present in the release pipeline.

v1.1.0 -Added support for release pipeline workflow. -Minor Bug Fixes.

v1.0.0 -First version of the extension.