Qualys Launches PCI 3.0 With Web App Scanning

By Alan Harten

At the Gartner IT Security Summit in London yesterday, Qualys launched its new version of the highly successful QualysGuard, the PCI 3.0.

This new variant has an integrated Web Application Scanning (WAS) module.

The previous versions are the most widely used on-demand scanning application utilised for PCI compliance implementation.

The new feature will properly prove to be especially helpful for those that need to meet requirement 6.6, with regard to maintaining secure web applications.

Under PCI Data Security Standards 1.2 it is mandatory that all public-facing web applications are subject to either:

1. reviews of applications via manual or automated vulnerability assessment tools or methods, or
2. installing an application-layer firewall in front of public-facing web applications.

This new tool is fully automated and is capable of evaluating web apps both before they are deployed and then on an ongoing basis once they are up and running.

The new system makes use of Software-as-a-Service (SaaS) delivery and scans for vulnerability problems within code.

The system can then deal with isolating SQL injection attacks and identify cross-site scripting problems; the scanning can be either authenticated or unauthenticated.

The system makes use of a crawling algorithm that looks at patterns and behaviour to identify potential problems.

Users can also select the bandwidth level at which the scans occur; this will be useful in keeping down the effects of the scans on the apps themselves in terms of latency.

Users can also just crawl and catalogue links without security checking.

The company says that it has deployed the original solutions to 1500 users and that they currently scan over 500,000 hosts per quarter.

Sales will being on the 13th of October and the price will be £795 including unlimited scans on up to three IP addresses.