Cloud Perimeter ScansUser Guide

November 5, 2019

Verity Confidential

Copyright 2018 by Qualys, Inc. All Rights Reserved.

Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners.

Qualys, Inc.919 E Hillsdale Blvd4th FloorFoster City, CA 944041 (650) 801 6100

3

Contents

About this Guide .............................................................................................. 4About Qualys ........................................................................................................................... 4Qualys Support ........................................................................................................................ 4

Get Started ........................................................................................................ 5What you’ll need ..................................................................................................................... 5EC2 Scan Checklist .................................................................................................................. 5Configure Your New Cloud Perimeter Scan ......................................................................... 6View Scan Results.................................................................................................................. 10Run Scan Reports .................................................................................................................. 11

Qualys API support......................................................................................... 12Create/Update Cloud Perimeter Scan ................................................................................ 12Schedule Scan List ................................................................................................................ 17Scan Results (fetch from API) .............................................................................................. 20Scan Results (download from UI) ....................................................................................... 22

Appendix.......................................................................................................... 23AWS Penetration Testing Request Form............................................................................. 23

4

About this GuideAbout Qualys

About this GuideThank you for your interest in the Qualys Cloud Platform! This guide tells you how to configure and launch cloud perimeter scans using the UI and API.

About QualysQualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications.

Founded in 1999, Qualys has established strategic partnerships with leading managed service providers and consulting organizations including Accenture, BT, Cognizant Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a founding member of the Cloud Security Alliance (CSA). For more information, please visit www.qualys.com

Qualys SupportQualys is committed to providing you with the most thorough support. Through online documentation, telephone help, and direct email support, Qualys ensures that your questions will be answered in the fastest time possible. We support you 7 days a week, 24 hours a day. Access support information at www.qualys.com/support/

Get StartedWhat you’ll need

Get Started

What you’ll needSubmit a penetration testing form

Fill out and submit a penetration testing request form for perimeter scanning. Learn more

Cloud Perimeter Scanning must be enabled

You’ll need to have these features enabled to run perimeter scans on your cloud environment: 1) Cloud Perimeter Scanning, 2) EC2 Scanning and 3) Scan by Hostname.

Please contact your Technical Account Manager or Qualys Support to have features enabled. (Not available to Express Lite.)

Manager or Unit Manager privileges

Your account must have a Manager or Unit Manager role.

EC2 connector is requiredIf this is your first EC2 scan then we recommend you start by creating an EC2 connector. You’ll do this within the AssetView application. A wizard will walk you through the steps.

EC2 Scan ChecklistWe recommend a few steps before scanning.

Check EC2 Assets are activatedCheck that your EC2 hosts are activated and have the EC2 tracking method. You can see this in VM on the Host Assets tab and also in AssetView on the Assets tab.

Want to learn more about setting up connectors? Check out Securing Amazon Web Services with Qualys.

5

Get StartedConfigure Your New Cloud Perimeter Scan

Configure Your New Cloud Perimeter ScanGood to Know

- Cloud perimeter scans use Qualys External Scanners (Internet Remote Scanners), located at the Qualys Cloud Platform. For accounts on Private Cloud Platforms, your account may be configured to allow internal scanners to be used.

- These are DNS or IP -based scans launched using the public DNS or Public IP of the target EC2 instances. If both public DNS and public IP address exist for your EC2 assets, then we will launch a scan on public DNS.

- All cloud perimeter scans are scheduled - either for “now” (essentially a one-time scan) or “recurring”. Once saved, you’ll see the scan job on the Schedules list. When the scan starts it will appear on your Scans list.

Get StartedGo to Scans > Scans > New > Cloud Perimeter Scan (also on the Schedules tab).

Select the EC2 connector you’ve configured.

6

Get StartedConfigure Your New Cloud Perimeter Scan

Give your scan a title and select an option profile. Note that cloud perimeter scans typically do not use authentication.

Now it’s time to pick your target hosts. Selecting target hosts is an optional step.  If you do not specify the platform, region code, vpc id or asset tags, we will create the new cloud perimeter scan job using only the connector.

1) Choose a platform option: EC2 Classic, EC2 VPC (All VPCs in region) or EC2 VPC (Selected VPC). Based on your selection you’ll select region(s).

2) Select asset tags - these are assets activated for your connector.

3) Enter the DNS names for your load balancers to include them in the scan.

Note that if no assets are resolved from the connector and for the optional "platform" and "asset tags" selections, the scan is launched on the load balancer DNS names. If no load balancer DNS names are specified, then the scan will fail and get terminated.

7

Get StartedConfigure Your New Cloud Perimeter Scan

By default cloud perimeter scans use Qualys External Scanners.

For Private Cloud Platforms - Your account may be configured to allow scanner appliances to be used. In this case, choose one or more scanner appliances from the list (use the Build my list option).

Tell us when you want the scan to run - Now or Recurring.

Note that when you choose Now your scan may not start immediately. We’ll check for new scan requests every few minutes. If a scanner is available and you haven’t reached your concurrent scan limit then we’ll launch the scan. If scanners are not available or you have reached your limit then the scan will be launched at the next opportunity.

When you choose Recurring you’ll also set scheduling and notification options. These are the same settings as other scan schedules so they should look familiar.

8

Get StartedConfigure Your New Cloud Perimeter Scan

We’ll identify the assets to scan based on your settings.

You’ll see these asset counts:

Assets Identified / Synced - The number of assets discovered by the connector.

Assets Qualified for scan - The number of assets discovered by the connector that also match the selected platform, region, asset tags. We’ll take out the Terminated instances.

Assets Submitted to scan - The number of assets that we’ll submit in the scan job. We start with the qualified assets (previous count) and filter out assets that are not activated for VM (for vulnerability scan) or not activated for PC (for compliance scan).

When you’re ready, click Submit Scan Job.

What happens nextYour new scan will appear on the Schedules list (even if you started it from the Scans tab).

When your scan starts it will appear on the Scans list. Like with other scans you can take actions like cancel or pause the scan, view the scan status and download the results.

Want to run the scan again? Choose New Scan Job from the Quick Actions menu. We’ll retain certain scan settings from the original scan job and schedule the scan to run Now.

9

Get StartedView Scan Results

View Scan ResultsChoose View from the Quick Actions menu for any finished scan in your list to see the scan results. You’ll notice the scan type is “Cloud Perimeter - AWS EC2”, you’ll see that Qualys External Scanners were used for the scan, and you’ll see the target DNS names for the assets submitted in the scan job.

The Detailed Results and Appendix sections of your scan results show the public DNS name for each scanned asset since cloud perimeter scans are DNS-based.

10

Get StartedRun Scan Reports

Run Scan ReportsIn your scan report template select the EC2 Related Information option on the Display tab. This lets you see EC2 details for each asset in your report, including the public DNS name.

Check out this sample report with EC2 related information.

11

Qualys API supportCreate/Update Cloud Perimeter Scan

Qualys API supportWe added a new API to create and update cloud perimeter scan jobs, plus additional updates to support cloud perimeter scans.

API Updates: Create/Update Cloud Perimeter Scan | Schedule Scan List | Scan Results (fetch from API) | Scan Results (download from UI)

Create/Update Cloud Perimeter Scan

Good to Know - Cloud perimeter scans are available for VM and PC modules - Only Managers and Unit Managers have permission to configure cloud perimeter scans

Input Parameters

The input parameters for cloud perimeter scan jobs are below.

API affected /api/2.0/fo/scan/cloud/perimeter/job/

New or Updated API New

DTD or XSD changes No

Parameter Description

action={create|update} (Required) Specify "create" to configure a new cloud perimeter scan job. Specify "update" to make changes to an existing scan job.

id={value} (Required and only applicable for Update request) The ID of the scan schedule you want to update.

module={vm|pc} (Required for Create request) Specify "vm" for a vulnerability scan and "pc" for a compliance scan.

cloud_provider=aws (Optional) The default value is "aws".

cloud_service=ec2 (Optional) The default value is "ec2".

connector_name={value} (Optional) The name of the connector to be used.

One of these parameters must be specified in the request: conector_name or connector_uuid. These are mutually exclusive and cannot be specified in the same request.

connector_uuid={value} (Optional) The ID of the connector to be used.

One of these parameters must be specified in the request: conector_name or connector_uuid. These are mutually exclusive and cannot be specified in the same request.

scan_title={value} (Optional) The scan title. When not specified the default scan title is "AWS EC2 Perimeter Scan <date>"

active={0|1} (Required for Create request) Specify "1" to create an active schedule. Specify "0" to create an inactive schedule.

12

Qualys API supportCreate/Update Cloud Perimeter Scan

option_title={value} (Optional) The title of the option profile to be used.

One of these parameters must be specified in the request: option_title or option_id. These are mutually exclusive and cannot be specified in the same request.

option_id={value} (Optional) The ID of the option profile to be used.

One of these parameters must be specified in a request: option_title or option_id. These are mutually exclusive and cannot be specified in the same request.

priority={value} (Optional) Specify a value of 0 - 9 to set a processing priority level for the scan. When not specified, a value of 0 (no priority) is used. Valid values are:0 = No Priority (the default)1 = Emergency2 = Ultimate3 = Critical4 = Major5 = High6 = Standard7 = Medium8 = Minor9 = Low

iscanner_id={value} (Optional, only valid when your account is configured to allow internal scanners) The IDs of the scanner appliances to be used. Specify "0" for external scanners. Multiple entries are comma separated.

These parameters cannot be specified in the same request: iscanner_id and iscanner_name.

iscanner_name={value} (Optional, only valid when your account is configured to allow internal scanners) The friendly names of the scanner appliances to be used or "External" for external scanners. Multiple entries are comma separated.

These parameters cannot be specified in the same request: iscanner_id and iscanner_name.

platform_type={value} (Required for Create request) The platform type. Valid values are: classic, vpc_peered or selected_vpc.

region_code={value} (Optional) The EC2 region code. Valid values are:ap-northeast-1, ap-southeast-1, ap-southeast-2, eu-west-1, sa-east-1, us-east-1, us-west-1 and us-west-2.

One of these parameters must be specified in the request: region_code or vpc_id. These are mutually exclusive and cannot be specified in the same request.

Parameter Description

13

Qualys API supportCreate/Update Cloud Perimeter Scan

Scheduling Parameters

When schedule=recurring is specified in your request you’ll need to provide scheduling parameters. These parameters are the same as other scan schedules. You can get complete information in Chapter 3 of the API V2 User Guide.

vpc_id={value} (Optional) The ID of the Virtual Private Cloud (VPC) zone. The ID value must start with vpc%

One of these parameters must be specified in the request: region_code or vpc_id. These are mutually exclusive and cannot be specified in the same request.

tag_include_selector={all|any}

(Optional) Select “any” (the default) to include hosts that match at least one of the selected tags. Select “all” to include hosts that match all of the selected tags.

tag_exclude_selector={all|any}

(Optional) Select “any” (the default) to exclude hosts that match at least one of the selected tags. Select “all” to exclude hosts that match all of the selected tags.

tag_set_by={id|name} (Optional) Specify “id” (the default) to select a tag set by providing tag IDs. Specify “name” to select a tag set by providing tag names.

tag_set_include={value} (Required for Create request) Specify a tag set to include. Hosts that match these tags will be included. You identify the tag set by providing tag name or IDs. Multiple entries are comma separated.

tag_set_exclude={value} (Optional) Specify a tag set to exclude. Hosts that match these tags will be excluded. You identify the tag set by providing tag name or IDs. Multiple entries are comma separated.

elb_dns={value} (Optional) One or more load balancer DNS names to include in the scan job. Multiple values are comma-separated.

schedule={value} (Required for Create request) Specify "now" to schedule the scan job for now. Specify "recurring" to schedule the scan job to start at a later time or on a recurring basis. See Scheduling Parameters in the next section.

Type Parameter List

Schedule schedule=recurring|now (Required for Create request)

Start Time Must be specified together: set_start_time=1 (for Update request only), start_date, start_hour, start_minute, time_zone_code, observe_dst

Recurrence recurrence

Daily Scan Must be specified together: occurrence=daily, frequency_days

Parameter Description

14

Qualys API supportCreate/Update Cloud Perimeter Scan

Notification Parameters

These notification parameters are the same as other scan schedules. You can get complete information in Chapter 3 of the API V2 User Guide.

Example - Create Cloud Perimeter Scan Job (Schedule Now)API request:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl""action=create&tag_set_by=name&tag_include_selector=any&tag_set_include=ec2-Virginia,Unassigned Business Unit&connector_name=conn1&region_code=us-east-1&active=1&option_title=Initial Options&module=vm&schedule=now&cloud_provider=aws&platform_type=classic&&after_notify=1&after_notify_message=Scan Finished" "https://qualysapi.qualys.com/api/2.0/fo/scan/cloud/perimeter/job/"

XML output:

<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE SIMPLE_RETURN SYSTEM "https://qualysapi.qualys.com/api/2.0/simple_return.dtd"><SIMPLE_RETURN> <RESPONSE> <DATETIME>2018-04-11T04:06:01Z</DATETIME> <TEXT>Scan has been created successfully</TEXT> <ITEM_LIST> <ITEM>

Weekly Scan Must be specified together: occurrence=weekly, frequency_weeks, weekdays

Monthly Scan Must be specified together: occurrence=monthly, frequency_months, Nth day of month: day_of_month, Day in Nth week: day_of_week, week_of_month

End end_after, end_after_mins

Pause and Resume pause_after_hours, pause_after_mins, resume_in_days, resume_in_hours

Type Parameter List

Notifications Supported with schedule=now:after_notify, after_notify_message, recipient_group_ids

Supported with schedule=recurring:before_notify, before_notify_unit, before_notify_time, before_notify_message, after_notify, after_notify_message, recipient_group_ids

Type Parameter List

15

Qualys API supportCreate/Update Cloud Perimeter Scan

<KEY>ID</KEY> <VALUE>1352070</VALUE> </ITEM> </ITEM_LIST> </RESPONSE></SIMPLE_RETURN>

Example - Create Cloud Perimeter Scan Job (Recurring Schedule)API request:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl""action=create&tag_set_by=name&tag_include_selector=any&tag_set_include=EC2_Targets&tag_exclude_selector=any&tag_set_exclude=EC2_Test&connector_name=EC2 Connector&region_code=us-east-1&active=0&occurrence=daily&start_date=04/02/2018&start_hour=10&start_minute=30&time_zone_code=IN&option_title=Initial Options&frequency_days=364&observe_dst=no&module=vm&schedule=recurring&cloud_provider=aws&platform_type=classic&after_notify=1&recipient_group_ids=4229" "https://qualysapi.qualys.com/api/2.0/fo/scan/cloud/perimeter/job/"

XML output:

<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE SIMPLE_RETURN SYSTEM "https://qualysapi.qualys.com/api/2.0/simple_return.dtd"><SIMPLE_RETURN> <RESPONSE> <DATETIME>2018-04-11T05:01:42Z</DATETIME> <TEXT>Scan has been created successfully</TEXT> <ITEM_LIST> <ITEM> <KEY>ID</KEY> <VALUE>1352071</VALUE> </ITEM> </ITEM_LIST> </RESPONSE></SIMPLE_RETURN>

Example - Update Cloud Perimeter Scan Job

API request:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl""action=update&id=1352071&connector_name=EC2Connector-2&platform_type=vpc_peered&region_code=us-west-1" "https://qualysapi.qualys.com/api/2.0/fo/scan/cloud/perimeter/job/"

16

Qualys API supportSchedule Scan List

XML output:

<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE SIMPLE_RETURN SYSTEM "https://qualysapi.qualys.com/api/2.0/simple_return.dtd"><SIMPLE_RETURN> <RESPONSE> <DATETIME>2018-04-11T05:05:35Z</DATETIME> <TEXT>Scan has been updated successfully</TEXT> <ITEM_LIST> <ITEM> <KEY>ID</KEY> <VALUE>1352071</VALUE> </ITEM> </ITEM_LIST> </RESPONSE></SIMPLE_RETURN>

Schedule Scan List

Users can now filter the schedule scan list to only show cloud perimeter scan jobs. Also, when you include cloud details in the output, we’ll show scan type "Cloud Perimeter".

Input Parameters

Updated parameters are listed.

ExampleAPI request:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl""https://qualysapi.qualys.com/api/2.0/fo/schedule/scan/?action=list&id=1340788&scan_type=perimeter&show_cloud_details=1"

API affected /api/2.0/fo/schedule/scan/?action=list

New or Updated API Updated

DTD or XSD changes Yes

Parameter Description

scan_type=perimeter (Optional) List cloud perimeter scans only. This option will be supported for Cloud Perimeter Scans in future release.

show_cloud_details={0|1} (Optional) Set to 1 to display cloud details in the XML output. The cloud details will show scan type "Cloud Perimeter" for cloud perimeter scans.

17

Qualys API supportSchedule Scan List

XML output:

<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE SCHEDULE_SCAN_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/2.0/fo/schedule/scan/schedule_scan_list_output.dtd"><SCHEDULE_SCAN_LIST_OUTPUT> <RESPONSE> <DATETIME>2018-04-12T12:57:03Z</DATETIME> <SCHEDULE_SCAN_LIST> <SCAN> <ID>1340788</ID> <ACTIVE></ACTIVE> <TITLE><![CDATA[My_External_Scan]]></TITLE> <USER_LOGIN>utwrx_mp</USER_LOGIN> <TARGET><![CDATA[Asset Tags Included]]></TARGET> <ISCANNER_NAME><![CDATA[External Scanner]]></ISCANNER_NAME> <EC2_INSTANCE> <CONNECTOR_UUID><![CDATA[8047abce-c3ac-42e0-ad49-be4181d22c84]]></CONNECTOR_UUID> <EC2_ENDPOINT><![CDATA[1507b6c1-07a7-4d88-acf2-8c6b63e749c4]]></EC2_ENDPOINT> <EC2_ONLY_CLASSIC><![CDATA[1]]></EC2_ONLY_CLASSIC> </EC2_INSTANCE> <CLOUD_DETAILS> <PROVIDER>AWS</PROVIDER> <CONNECTOR> <ID>37361</ID> <UUID>8047abce-c3ac-42e0-ad49-be4181d22c84</UUID> <NAME><![CDATA[EC2 Connector]]></NAME> </CONNECTOR> <SCAN_TYPE>Cloud Perimeter</SCAN_TYPE> <CLOUD_TARGET> <PLATFORM>Classic</PLATFORM> <REGION> <UUID>1507b6c1-07a7-4d88-acf2-8c6b63e749c4</UUID> <CODE>us-east-1</CODE> <NAME><![CDATA[US East (N. Virginia)]]></NAME> </REGION> <VPC_SCOPE>None</VPC_SCOPE> </CLOUD_TARGET> </CLOUD_DETAILS> <ASSET_TAGS> <TAG_INCLUDE_SELECTOR>any</TAG_INCLUDE_SELECTOR> <TAG_SET_INCLUDE><![CDATA[EC2_Targets]]></TAG_SET_INCLUDE>

18

Qualys API supportSchedule Scan List

<TAG_EXCLUDE_SELECTOR>any</TAG_EXCLUDE_SELECTOR> <TAG_SET_EXCLUDE><![CDATA[EC2_Test]]></TAG_SET_EXCLUDE> <USE_IP_NT_RANGE_TAGS>0</USE_IP_NT_RANGE_TAGS> </ASSET_TAGS> <ELB_DNS> <DNS><![CDATA[abc.com]]></DNS> <DNS><![CDATA[abc123.com]]></DNS> </ELB_DNS> <OPTION_PROFILE> <TITLE><![CDATA[Initial Options]]></TITLE> <DEFAULT_FLAG>1</DEFAULT_FLAG> </OPTION_PROFILE> <PROCESSING_PRIORITY>0 - No Priority</PROCESSING_PRIORITY> <SCHEDULE> <DAILY frequency_days="364" /> <START_DATE_UTC>2018-04-02T05:00:00Z</START_DATE_UTC> <START_HOUR>10</START_HOUR> <START_MINUTE>30</START_MINUTE> <TIME_ZONE> <TIME_ZONE_CODE>IN</TIME_ZONE_CODE> <TIME_ZONE_DETAILS>(GMT+0530) India: Asia/Calcutta</TIME_ZONE_DETAILS> </TIME_ZONE> <DST_SELECTED>0</DST_SELECTED> </SCHEDULE> </SCAN> </SCHEDULE_SCAN_LIST> </RESPONSE></SCHEDULE_SCAN_LIST_OUTPUT>

DTD UpdateDTD: <platform>/api/2.0/fo/schedule/scan/schedule_scan_list_output.dtd

We’ve added the new ELB_DNS tag that appears for Cloud Perimeter Scans only.

<!-- QUALYS SCHEDULE_SCAN_LIST_OUTPUT DTD --><!-- $Revision$ --><!ELEMENT SCHEDULE_SCAN_LIST_OUTPUT (REQUEST?,RESPONSE)>...

<!ELEMENT RESPONSE (DATETIME, SCHEDULE_SCAN_LIST?)><!ELEMENT SCHEDULE_SCAN_LIST (SCAN+)><!ELEMENT SCAN (ID, SCAN_TYPE?, ACTIVE, TITLE?, USER_LOGIN, TARGET, NETWORK_ID?, ISCANNER_NAME?, EC2_INSTANCE?, CLOUD_DETAILS?, ASSET_GROUP_TITLE_LIST?, ASSET_TAGS?, EXCLUDE_IP_PER_SCAN?, USER_ENTERED_IPS?, ELB_DNS?,

19

Qualys API supportScan Results (fetch from API)

OPTION_PROFILE?, PROCESSING_PRIORITY?, SCHEDULE, NOTIFICATIONS?)>...

<!ELEMENT ELB_DNS (DNS+)><!ELEMENT DNS (#PCDATA)>...

Scan Results (fetch from API)

Example - CSV Extended Format

API request:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -d"action=fetch&scan_ref=scan/1523603293.69652&mode=extended&output_format=csv_extended" "https://qualysapi.qualys.com/api/2.0/fo/scan/"

Sample CSV output:

In the CSV Header we added “Scan Type” and we changed “IPs” to “DNS”. These changes only apply to Cloud Perimeter Scans.

"Scan Results","04/12/2018 at 14:59:47 (GMT-0700)""Qualys, Inc.","919 E Hillsdale Blvd, Floor 4",,"Foster City","California","United States of America","94404""Patrick Slimmer","Manager"

"Launch Date","Active Hosts","Total Hosts","Type","Scan Type","Status","Reference","Scanner Appliance","Duration","Scan Title","Asset Groups","DNS","Excluded IPs","Option Profile","Tags""04/17/2018 12:41:17","2","2","Scheduled","Cloud Perimeter - AWS EC2","Finished","scan/1523968877.72179","10.1.0.23 (Scanner 10.0.14-1, Vulnerability Signatures 2.4.290-2)","00:18:50","API-Launch-DNS-May_work",,"ec2-184-73-79-113.compute-1.amazonaws.com,ec2-52-87-163-204.compute-1.amazonaws.com",,"Initial Options","Included(any): tag-new;Excluded(any);"

"IP","DNS","NetBIOS","OS","IP Status","QID","Title","Type","Severity","Port","Protocol","FQDN","SSL","CVE ID","Vendor Reference","Bugtraq ID","Threat","Impact","Solution","Exploitability","Associated

API affected /api/2.0/fo/scan/?action=fetch

New or Updated API Neither (output change only)

DTD or XSD changes No

20

Qualys API supportScan Results (fetch from API)

Malware","Results","PCI Vuln","Instance","Category"

Example - JSON Extended Format

API request:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -d"action=fetch&scan_ref=scan/1523968877.72179&mode=extended&output_format=json_extended" "https://qualysapi.qualys.com/api/2.0/fo/scan/"

Sample JSON extended output:

We added “scan_type” and we changed “ips” to “dns”. These changes only apply to Cloud Perimeter Scans.

[{"scan_report_template_title":"Scan Results","result_date":"04\/18\/2018 12:25:14","company":"Qualys","add1":"919 E Hillsdale Blvd, Floor 4","add2":null,"city":"Foster City","state":"California","country":"United States of America","zip":"94404","name":"Patrick Slimmer","username":"quays_pslimmer","role":"Manager"},{"launch_date":"04\/17\/2018 12:41:17","active_hosts":"2","total_hosts":"2","type":"Scheduled","scan_type":"Cloud Perimeter - AWS EC2","status":"Finished","reference":"scan\/1523968877.72179","scanner_appliance":"10.1.0.23 (Scanner 10.0.14-1, Vulnerability Signatures 2.4.290-2)","duration":"00:18:50","scan_title":"My-Scan","asset_groups":null,"dns":"ec2-184-73-79-113.compute-1.amazonaws.com,ec2-52-87-163-204.compute-1.amazonaws.com","excluded_ips":"","option_profile":"Initial Options","tags":"Included(any): tag-new;\nExcluded(any);\n"}]

21

Qualys API supportScan Results (download from UI)

Scan Results (download from UI)

Scan Results in XML format

We added these new Key values to the Header section of the XML output for Cloud Perimeter Scans:

<KEY value="CLOUD_PROVIDER">AWS</KEY> <KEY value="CLOUD_SERVICE">EC2</KEY> <KEY value="SCAN_TYPE">Cloud Perimeter</KEY>

Scan Results in CSV format

In the CSV Header we added “Scan Type” and we changed “IPs” to “DNS”. These changes only apply to Cloud Perimeter Scans.

Sample CSV output:

"Scan Results","04/12/2018 at 14:59:47 (GMT-0700)""Qualys, Inc.","919 E Hillsdale Blvd, Floor 4",,"Foster City","California","United States of America","94404""Patrick Slimmer","Manager"

"Launch Date","Active Hosts","Total Hosts","Type","Scan Type","Status","Reference","Scanner Appliance","Duration","Scan Title","Asset Groups","DNS","Excluded IPs","Option Profile""04/12/2018 at 14:26:16 (GMT-0700)","1","1","Scheduled (default option profile)","Cloud Perimeter - AWS EC2","Finished","scan/1523568376.69585","10.1.0.23 (Scanner 10.0.14-1, Vulnerability Signatures 2.4.290-2)","00:18:33","AWS EC2 Perimeter Scan 20180412 - Now",,"ec2-184-73-79-113.compute-1.amazonaws.com",,"Initial Options","Included(any): tag-new;Excluded(any);"

...

API affected N/A (affects end report)

New or Updated API Neither (output change only)

DTD or XSD changes No

22

AppendixAWS Penetration Testing Request Form

Appendix

AWS Penetration Testing Request FormYou’ll need to fill out a penetration testing request form for AWS EC2 perimeter scanning.

What is this?

The AWS Acceptable Use Policy describes permitted and prohibited behavior on AWS and includes descriptions of prohibited security violations and network abuse. However, because penetration testing and other simulated events are frequently indistinguishable from these activities, we have established a policy for customers to request permission to conduct penetration tests and vulnerability scans to or originating from the AWS environment.

What are the steps?

Follow the process available under:https://aws.amazon.com/security/penetration-testing/

Sample formUpdate the form with your relevant data and submit it using the link above.

AWS AccountId 205767712438

SubmitterName Patrick Slimmer

CompanyName CompanyABC

EmailAddress pslimmer@companyabc.com

AdditionalEmail1

AdditionalEmail2

AdditionalEmail3

Customer_NDA yes

ec2_resources Public facing EC2 instances under the accounts

cloudfront_ID

api_gateway

rds_resources

elb_resources

external_IPs

nameserver_info FQDN Name

dns_owner_notified yes

TLD_scanned FQDN Name

source_IP

on_prem no

23

AppendixAWS Penetration Testing Request Form

third_party Qualys

phone_for_testing_team 6508016100

testing_company_NDA yes

peak_bandwidth Few MBs to 10s depending on the system

peak_rps 75

dns_walking_qps 4-8

StartDate 2018-02-01 00:00

EndDate 2018-05-01 00:00

testing_details We need to scan our external facing instances from the internet to determine the vulnerability of those instances to public exploitation.

metrics_of_test We will monitor both the number and Qualys severity level of the vulnerabilities identified on the instances.

can_you_stop yes

emergency_contact Patrick Slimmer, 6508016100, pslimmer@companyabc.com

TermsAgreement i-agree

Policy i-agree

Submission received from source IP Address

AWS Account ID

Root Customer ID

IAM Account no

Email Address pslimmer@companyabc.com

Name CompanyABC

24