Compatibility Questionnaire: Qualys Inc. (QualysGuard Express) — Archive
Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.
Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.
Organizational Information
Name of Your Organization:
Web Site:
Product Information
Product/Service Name:
Compatible Categories:
Product/Service Home Page:
Product Accessibility
Schema Currency Indication
- Users can search in the QualysGuard knowledgebase for the "New Vulnerability" definition created by him/her based on the OVAL schema.
- The display button shows the OVAL schema used to create the vulnerability definition.
Schema Currency Update Approach
Platform and Definition Type Support
Approach for Correction of Errors
Compatibility Documentation
The QualysGuard online help provides OVAL compatibility documentation for customers. The help is available to customers after logging into the QualysGuard service. OVAL-related help topics are available from the Contents under "Network Analysis (Scans)" --> "OVAL Vulnerability Scanning".
See information from the help below:
QualysGuard users with a Manager role can add OVAL vulnerability definitions to the KnowledgeBase making them available for scanning. The service supports OVAL vulnerability definitions for Windows registry tests, Windows file tests and compound tests, which are Boolean combinations of other tests. The service supports the OVAL Definition Schema and the Platform Schema for Windows. These schemas define the structure and vocabulary of the OVAL vulnerability definitions. To learn more about OVAL, go to the OVAL web site at http://oval.mitre.org.
Documentation of Finding Elements Using OVAL
The QualysGuard online help provides OVAL compatibility documentation for customers. The help is available to customers after logging into the QualysGuard service. OVAL-related help topics are available from the Contents under "Network Analysis (Scans)" --> "OVAL Vulnerability Scanning".
Customers can also access Quick Help from the "New Vulnerability" page (Home --> KnowledgeBase --> New Vulnerability) and when viewing or editing an existing OVAL vulnerability from the KnowledgeBase.
See information from the help below:
QualysGuard users with a Manager role can add OVAL vulnerability definitions to the KnowledgeBase. To do so, click New Vulnerability on the KnowledgeBase page (Home --> KnowledgeBase).
When creating a new vulnerability, you paste in XML for an OVAL vulnerability definition. OVAL vulnerability definitions are free to review and download from the OVAL Web site at http://oval.mitre.org/. When saved, the OVAL XML is validated and the new vulnerability is added to the KnowledgeBase. Note that one OVAL ID may be defined for one vulnerability. When the vulnerability is added, the service automatically assigns it a unique QID (Qualys ID) starting at 130000. Subsequent QIDs are incremented by one — 130001, 130002, 130003, etc.
Documentation of Finding Results Information from Elements
QualysGuard uses its own report templates and layout to provide scan results information. The OVAL Results Schema is not used.
General information about reporting and reading scan reports is available in the topic called "Reading Scan Reports" which is available from the help Contents by selecting "Reporting" --> "Scan Reports".
See information from the help below:
When detected, OVAL vulnerabilities appear in scan results just like any other vulnerability. Saved scan results verify whether authentication was successful. It is recommended that you resolve authentication failures before the next scan. To only report on OVAL vulnerabilities, generate a selective vulnerability report. To do so, select Partial/Custom under Selective Vulnerability Reporting on the Filter tab in your report template. Then click Configure and perform a search for vulnerabilities in the OVAL category. The configured list of vulnerabilities will be saved as part of the report template. Whenever the report is generated, only the selected OVAL vulnerabilities will be included.
Documentation Indexing of OVAL-Related Material
The QualysGuard online help is available to customers after logging into the QualysGuard service. OVAL-related help topics are accessible from the help Contents, Index and Search functionalities.
From the help Index, the following OVAL topics are listed:
- Adding OVAL vulnerabilities
- Scanning OVAL vulnerabilities
OVAL Definition Consumer
Configuration and Software Usage Explanation
OVAL Definition Information Process Explanation
The QualysGuard online help provides OVAL compatibility documentation for customers. The help is available to customers after logging into the QualysGuard service. OVAL-related help topics are available from the Contents under "Network Analysis (Scans)" --> "OVAL Vulnerability Scanning".
QualysGuard supports importing of OVAL definitions. QualysGuard customers add OVAL vulnerabilities to the QualysGuard KnowledgeBase making them immediately available for scanning. At any time, users may edit and update these OVAL vulnerabilities. When a user scans OVAL vulnerabilities, all OVAL vulnerabilities that have been added to the KnowledgeBase are included in the scan task.
See information from the help below:
QualysGuard users with a Manager role can add OVAL vulnerability definitions to the KnowledgeBase making them available for scanning. The service supports OVAL vulnerability definitions for Windows registry tests, Windows file tests and compound tests, which are Boolean combinations of other tests.
OVAL vulnerabilities are not included in scan tasks by default. To scan for these vulnerabilities, select OVAL in your option profile (under Vulnerability Detection on the Scan tab). All OVAL vulnerabilities that have been added to the KnowledgeBase are included in the scan task. To scan for a limited set of OVAL vulnerabilities or a combination of OVAL vulnerabilities and other detections, use the Custom option and select vulnerabilities assigned to the OVAL category.
Questions for Signature
Statement of Compatibility
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory Compatibility Requirements as well as all of the additional mandatory Compatibility Requirements that are appropriate for our specific type of capability."
Name: | Amol Sarwate | |
Title: | Manager, Vulnerability Management Lab |
Statement of Accuracy
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability's use of OVAL schema and logic."
Name: | Amol Sarwate | |
Title: | Manager, Vulnerability Management Lab |
Statement on Follow-on Testing Activity Support
Have an authorized individual sign and date the following statement about your organizations willingness to support correctness testing of other capabilities, which will be managed by the Reviewing Authority and kept to reasonable levels of effort for all involved. (required):
"As an authorized representative of my organization, we agree to support the Reviewing Authority in follow-on testing activities, where appropriate types of files will be exchanged with other organizations attempting to prove the correctness of their capabilities."
Name: | Amol Sarwate | |
Title: | Manager, Vulnerability Management Lab |
Page Last Updated: December 17, 2009