Mike Shema, Director of Engineering at Qualys, offers insight into the latest release of QualysGuard WAS.
How will WAS 2.1 will enable users to successfully authenticate dynamic security testing during scans?
Since its beginning WAS has focused on automating the login process as much as possible in order to ease the burden of complex configurations or deep knowledge of a target on the part of the user.
Automation can't hit 100% percent of the login forms WAS encounters. Sometimes the login page uses weird HTML layout, like separate forms for the username, password, and submit button. Sometimes the login form doesn't match an expected heuristic, like merely asking for a single ID number in a text field to "authenticate" to the site. Other situations require the user to complete multiple steps before successfully logging in to the site.
Whatever the case may be, supporting Selenium means that if the authentication process can be recorded in the browser, then it can be replayed by the scanner. Selenium is an easy-to-use tool that already has wide adoption for QA testing. So, it's possible WAS could re-use Selenium login scripts already created for QA. Also, the choice of Selenium means that users can take a script created for WAS and re-use it in their own Selenium environments -- they're not beholden to a "WAS format" for training the scanner.
How will WAS 2.1 simplify complex authentication processes?
How will WAS 2.1 stand apart in the market?
WAS already automates a majority of login forms, and will further stand apart by integrating with a solution, Selenium, that is already in use by large enterprises for functional web app testing. This integration will enable users to address the problem of scalability when dealing with dozens, hundreds, or possibly thousands of web apps across an organization. By standardizing on Selenium, future versions of WAS will support the use of Selenium scripts for workflow testing, which will reduce overall testing efforts in an unparalleled way.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.