OVAL - Compatibility Questionnaire: Qualys Inc. (QualysGuard MSP)

Compatibility Questionnaire: Qualys Inc. (QualysGuard MSP) — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

General Capability Questions | Accuracy Questions | Documentation Questions | Capability Specific Questions

Organizational Information

Name of Your Organization:

Qualys Inc.

Web Site:

www.qualys.com

Product Information

Product/Service Name:

QualysGuard MSP

Compatible Categories:

OVAL Definition Consumer

Product/Service Home Page:

http://www.qualys.com/webservices/qgmsps/

General Capability Questions

Product Accessibility

Provide a short description of how and where your capability is made available to your customers and the public (required):

When customers log-in to the QualysGuard service the landing page provides a "New Vulnerability" button which enables customers to add OVAL vulnerability checks that are based on OVAL schemas.

Accuracy Questions

Schema Currency Indication

Describe how and where your capability indicate the OVAL Schema used to create or update its contents and/or results (required):

Users can search in the QualysGuard knowledgebase for the "New Vulnerability" definition created by him/her based on the OVAL schema.
The display button shows the OVAL schema used to create the vulnerability definition.

Schema Currency Update Approach

Indicate how often you plan on updating content to reflect new OVAL Schema versions and describe your approach to keeping reasonably current with schema versions (recommended):

Qualysguard supports OVAL schema definition 4.2. We plan to support future versions as they get stable and official accepted by OVAL.

Platform and Definition Type Support

Indicate which platforms and definition types for those platforms that your capability supports for each category of OVAL compatibility your capability supports (required):

QualysGuard supports the Windows Platform for OVAL definations.

Approach for Correction of Errors

Indicate how someone who discovers an error in your capabilities use of OVAL can report the error and describe your approach to responding to such reports and applying fixes (required):

OVAL errors can be submitted to customer support by e-mail or by telephone. Please refer to http://www.qualys.com/support/ for details.

Documentation Questions

Compatibility Documentation

Provide a copy, or directions to its location, of where your documentation describes OVAL, OVAL compatibility and/or OVAL-ID compatibility for your customers (required):

The QualysGuard online help provides OVAL compatibility documentation for customers. The help is available to customers after logging into the QualysGuard service. OVAL-related help topics are available from the Contents under "Network Analysis (Scans)" --> "OVAL Vulnerability Scanning".

See information from the help below:

QualysGuard users with a Manager role can add OVAL vulnerability definitions to the KnowledgeBase making them available for scanning. The service supports OVAL vulnerability definitions for Windows registry tests, Windows file tests and compound tests, which are Boolean combinations of other tests. The service supports the OVAL Definition Schema and the Platform Schema for Windows. These schemas define the structure and vocabulary of the OVAL vulnerability definitions. To learn more about OVAL, go to the OVAL web site at http://oval.mitre.org.

Documentation of Finding Elements Using OVAL

Provide a copy, or directions to its location, of where your Documentation describes the specific details of how your customers can find individual security elements in the capability's repository by using OVAL definitions and/or how the user can find them elsewhere through the use of OVAL-IDs (required):

Customers can also access Quick Help from the "New Vulnerability" page (Home --> KnowledgeBase --> New Vulnerability) and when viewing or editing an existing OVAL vulnerability from the KnowledgeBase.

See information from the help below:

QualysGuard users with a Manager role can add OVAL vulnerability definitions to the KnowledgeBase. To do so, click New Vulnerability on the KnowledgeBase page (Home --> KnowledgeBase).

When creating a new vulnerability, you paste in XML for an OVAL vulnerability definition. OVAL vulnerability definitions are free to review and download from the OVAL Web site at http://oval.mitre.org/. When saved, the OVAL XML is validated and the new vulnerability is added to the KnowledgeBase. Note that one OVAL ID may be defined for one vulnerability. When the vulnerability is added, the service automatically assigns it a unique QID (Qualys ID) starting at 130000. Subsequent QIDs are incremented by one — 130001, 130002, 130003, etc.

Documentation of Finding Results Information from Elements

Provide a copy, or directions to its location, of where your documentation describes how the user can obtain information in the OVAL Results Schema from individual elements in the capability's repository (required):

QualysGuard uses its own report templates and layout to provide scan results information. The OVAL Results Schema is not used.

General information about reporting and reading scan reports is available in the topic called "Reading Scan Reports" which is available from the help Contents by selecting "Reporting" --> "Scan Reports".

See information from the help below:

When detected, OVAL vulnerabilities appear in scan results just like any other vulnerability. Saved scan results verify whether authentication was successful. It is recommended that you resolve authentication failures before the next scan. To only report on OVAL vulnerabilities, generate a selective vulnerability report. To do so, select Partial/Custom under Selective Vulnerability Reporting on the Filter tab in your report template. Then click Configure and perform a search for vulnerabilities in the OVAL category. The configured list of vulnerabilities will be saved as part of the report template. Whenever the report is generated, only the selected OVAL vulnerabilities will be included.

Documentation Indexing of OVAL-Related Material

If your documentation includes an index, provide a copy of the items and resources that you have listed under "OVAL" in your index. Alternately, provide directions to where these "OVAL" items are posted on your web site (recommended):

The QualysGuard online help is available to customers after logging into the QualysGuard service. OVAL-related help topics are accessible from the help Contents, Index and Search functionalities.

From the help Index, the following OVAL topics are listed:

Adding OVAL vulnerabilities
Scanning OVAL vulnerabilities

Capability Specific Questions

OVAL Definition Consumer

Configuration and Software Usage Explanation

If your capability does not use both the configuration and software sections of definitions where do you describe to your customers how your capability deviates from the logic of the definitions that have both sections (required):

QualysGuard uses both the configuration and software sections of definitions.

OVAL Definition Information Process Explanation

If your capability does not support consuming OVAL Definitions at runtime explain where you have documented the process by which customers can submit OVAL Definitions for interpretation by the capability, including how quickly Definitions submitted are made available to the capability in use by your customers (required):

QualysGuard supports importing of OVAL definitions. QualysGuard customers add OVAL vulnerabilities to the QualysGuard KnowledgeBase making them immediately available for scanning. At any time, users may edit and update these OVAL vulnerabilities. When a user scans OVAL vulnerabilities, all OVAL vulnerabilities that have been added to the KnowledgeBase are included in the scan task.

See information from the help below:

OVAL vulnerabilities are not included in scan tasks by default. To scan for these vulnerabilities, select OVAL in your option profile (under Vulnerability Detection on the Scan tab). All OVAL vulnerabilities that have been added to the KnowledgeBase are included in the scan task. To scan for a limited set of OVAL vulnerabilities or a combination of OVAL vulnerabilities and other detections, use the Custom option and select vulnerabilities assigned to the OVAL category.

Questions for Signature

Statement of Compatibility

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory Compatibility Requirements as well as all of the additional mandatory Compatibility Requirements that are appropriate for our specific type of capability."

Name:		Amol Sarwate
Title:		Manager, Vulnerability Management Lab

Statement of Accuracy

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability's use of OVAL schema and logic."

Name:		Amol Sarwate
Title:		Manager, Vulnerability Management Lab

Statement on Follow-on Testing Activity Support

Have an authorized individual sign and date the following statement about your organizations willingness to support correctness testing of other capabilities, which will be managed by the Reviewing Authority and kept to reasonable levels of effort for all involved. (required):

"As an authorized representative of my organization, we agree to support the Reviewing Authority in follow-on testing activities, where appropriate types of files will be exchanged with other organizations attempting to prove the correctness of their capabilities."