Qualys is a commercial vulnerability and web application scanner. It can be used to proactively locate, identify, and assess vulnerabilities so that they can be prioritized and corrected before they are targeted and exploited by attackers. Stanford uses Qualys to scan all administrative networks on a regular basis for known discoverable vulnerabilities. These scans are performed periodically from hosts within the Stanford network.
Qualys can also be used to scan for vulnerabilities in web applications. The Qualys Web Application Scanner (WAS) focuses on web application vulnerabilities, such as the industry-standard Open Web Application Security Project Top 10 list, to categorize the most critical risks faced by web apps. The Qualys Web Application Scanner finds these vulnerabilities, including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF) and URL redirection.
Qualys scans are performed over the network. You do not need to install any software on your systems to use the service. If you would like to run your own custom scans and generate your own custom reports, request a Qualys account. For network vulnerability scanning, be sure to include the IP address of your machine, or the network that you manage. For web applications, please specify URLs, e.g., your_server_name.stanford.edu. You will be required to be listed as either the User or the Admin in NetDB for the respective addresses and/or servers.
If you already have an account, please log in to Qualys using the SAML SSO login page. Sign in using your SUNet ID.
Qualys is a licensed service to Stanford; we'll pay for what we use. You're encouraged to use the service, but as part of our routine system hygiene we purge inactive accounts periodically.
- Visit the Qualys website for online training and support.
- Read the Minimum Security Standards FAQs around Vulnerability Management