Qualys Community Edition is a free version of the Qualys Cloud Platform designed for the security community.
- Discover IT assets.
- Manage vulnerabilities.
- Scan web apps.
- Inventory cloud assets.
Qualys Community Edition Getting Started Guide: https://www.qualys.com/docs/qualys-community-edition-user-guide.pdf
Features
Edition gives you these great capabilities at no cost:
- Monitor up to 16 assets with
Qualys Cloud Agent - Scan up to 16 internal and 3
external IPs with Vulnerability Management - Scan 1 URL with Web Application
Scanning. - Deploy a Virtual Scanner Appliance
within your internal network. - Gain visibility within your
cloud environments. - Generate reports and assess
results quickly and easily.
Your scan data within the platform will be
retained for 90 days. Be sure to download and save reports for your records as
you continue to use the Qualys Community Edition. Accounts that are inactive
for 6 months are automatically purged for security.
- https://github.com/google/tsunami-security-scanner
- https://github.com/google/tsunami-security-scanner/blob/master/docs/index.md
- https://github.com/google/tsunami-security-scanner-plugins
Registration
Quick Start
Operations
Vulnerability Scan
This is where it gets interesting. Select up to 16 internal or external IP addresses to be scanned. This is the basis for either an on-demand scan, or future scheduled scans. There are many options to choose from, but often the defaults are fine. To scan the internal network, select the virtual appliance you downloaded earlier. I also recommend performing some external scans using the external (Qualys) scanner, targeting your external IP address, to see what is vulnerable from the outside. The internal scan took about 35 minutes on my network, but it probably depends on the number of open ports.
Web Application scanning
Qualys Community Edition package also includes Web Application scanning, although the CE is limited to one web application only. There are many settings to tweak the scan to your needs. Even complicated Selenium scripts can be included in the scans. It is unfortunate that contrary to the vulnerability scans, the Web Application Scans cannot be scheduled.
Cloud agents
A different way to scan the infrastructure is the use of cloud agents. These are small programs that are installed on the computers of the network. Agents can be downloaded for Linux, Windows, IBM AIX, and OSX. From the inside of the computer, they can detect things that cannot be detected easily from the outside. The agents can for instance detect software that needs updating.
Results
By default, both the vulnerability scan and web application scans may give a lot vulnerabilities. And this is where things get more complicated. What are false positives, what can be ignored, and what should be rectified immediately? Of course, all vulnerabilities are ranked by threat level, and Qualys does an excellent job at giving additional information about the vulnerabilities found. One the other hand, the discovery scan only sees devices which respond to ICMP (ping) messages, so rogue devices can still be hiding in your network without being detected. The cloud agents work really well, the day after Adobe reported a vulnerability I could see which of my system contained the problem. Scanning from the outside proved useful, and pointed out that some application used uPnP to unintentionally forward a port on my router.
Videos