On-Demand Web Application Security Scanning with Qualys WAS API — Including Examples

Presented by: Mike Tessmer, Tomomi Imamura & Eric Simons
This presentation demonstrates the easy-to-use web application vulnerability scanner custom developed by the DoIT Web and Mobile Solutions (WaMS) team in collaboration with the Office of Cybersecurity. In 2018, the WaMS technical lead began using Qualys Web Application Scanning (WAS) and recognized a knowledge transfer scalability limitation. It took too long to learn to use the interface and configure scans. The DoIT WaMS team and the Office of Cybersecurity jointly wrote a proposal to acquire funding for the custom development of a tool that would use the Qualys API, but significantly reduce the complexity of scan configuration. The tool would make the application scanning process easy to learn and replicate for all campus partners. Today we are proud to present the Cybersecurity Appscanner.
Join Tomomi Imamura (Office of Cybersecurity), Eric Simons (WaMS), and Mike Tessmer (WaMS) as they walk through lessons learned, examples on how to use the app (YES! You can start using this tool to scan your web applications today!), and vulnerability results (with common fixes). We’ll have an example target application with known vulnerabilities that we will fix live. If time allows, a Q/A session will follow the demonstration.
We will be using a site that has known vulnerabilities and we will also show how to read a security report from Qualys and how to fix common issues found in a vulnerable web application. At the end of the day, we are showing off a new tool they will be able to use after the presentation, increasing the security of web applications across campus.
Q&A Information: http://uwitproconf.slack.com – #2020-qa-webapp-qualys