Qualys launches AI-powered Web Application Scanning (WAS) with API security

Qualys has announced the launch of its API security platform that leverages AI-powered scanning and deep learning-based web malware detection to secure web apps and APIs across the entire attack surface, including on-premises web servers, databases, hybrid, multi-cloud environments, API gateways, containerised architectures, and microservices.

APIs are integral to digital transformation initiatives across industries. The latest data indicates that over 83% of web traffic now comprises API traffic, highlighting their critical role in modern web applications using microservices, cloud, and hybrid environments. However, this also underscores the vulnerabilities that accompany their widespread adoption.

“Many organisations use a variety of security tools, such as SAST, DAST, SCA, or point solutions for API security that often operate in isolation, without a unified platform to integrate their findings. Moreover, the absence of integration between these tools leads to a fragmented view of the application security posture and results in uncoordinated efforts and gaps in security coverage. Similarly, SAST & DAST tools offer limited coverage for API-specific issues and focus predominantly on code vulnerabilities,” commented Kunal Modasiya, Vice President, Product Management, CyberSecurity Asset Management, Qualys. “Mainly, these solutions fail to extend their assessment to the runtime or environmental threats where APIs operate and provide visibility into the vulnerabilities of the underlying infrastructure hosting these APIs, leaving significant security gaps at the network and host levels.”

Qualys API security addresses and allows organisations to:

• Measure API risks across all attack surfaces with a unified view of API security by discovering & monitoring every API asset across diverse environments, enabling better decision-making and faster response times.
• Communicate API risks like OWASP API Top 10 vulnerabilities & drift from OpenAPI specs with real-time threat detection and response, minimising the risk window and enhancing overall security.
• Eliminate API risks with integrated workflows supporting Shift-Left & Shift-Right practices, bridging the gap between IT and security teams, promoting seamless collaboration, and improving operational efficiency.

Key features of Qualys API

1. Comprehensive API discovery and inventory management

Qualys WAS with API Security automatically identifies and catalogs all APIs within an organisation’s network, including internal, external, undocumented, rogue, and shadow APIs. Whether APIs are deployed in multi-cloud environments (AWS, Azure), containerised architectures (Kubernetes), or API gateways (Apigee, Mulesoft), Qualys’ continuous discovery ensures an updated inventory across all platforms, preventing unauthorised access points and shadow APIs.

2. API vulnerability testing & AI-powered scanning

Qualys provides comprehensive API vulnerability testing using 200+ prebuilt signatures to detect API-specific security vulnerabilities, including those listed in the OWASP API Top 10, such as rate limiting, authentication & authorisation issues, PII collection, and sensitive data exposure. Moreover, for large applications, Qualys combines the power of deep learning and AI-assisted clustering to perform efficient vulnerability scans. This smart clustering mechanism targets critical areas, achieving a 96% detection rate with an 80% reduction in scan time.

3. API compliance monitoring

Qualys performs both active and passive compliance monitoring to identify and address any drift or inconsistencies in API implementation and documentation in adherence to the OpenAPI Specification (OAS v3). Clear, standardised API documentation, in adherence to OAS, ensures that shared documentation is easily understood by recipients, simplifies security assessments and enforcement, and enhances the accuracy of code, benefiting both automated tools and human developers. Qualys also continuously monitors APIs for compliance with industry standards such as PCI-DSS, GDPR, and HIPAA to ensure that APIs remain compliant with evolving regulations, avoiding potential fines and enhancing data protection.

4. API risk prioritisation with TruRisk

Qualys leverages its proprietary TruRisk scoring system, which integrates multiple factors such as severity, exploitability, business context, and asset criticality to prioritise risks based on overall business impact, ensuring that the most critical vulnerabilities are addressed first. It also categorises risks based on the OWASP API Top 10, helping organisations focus on the most prevalent and severe API security threats.

5. Seamless integration with Shift-Left and Shift-Right workflows

Qualys integrates seamlessly with existing CI/CD tools (e.g., Bamboo, TeamCity, Github, Jenkins, Azure DevOps) and IT ticketing systems (e.g., Jira, ServiceNow), supporting both shift-left and shift-right security practices. This facilitates automated security testing and real-time threat detection and response without disrupting development workflows. By bridging the gaps between IT and security teams, Qualys ensures smoother operational transitions, improving API security practices and reducing the risk window.

Interested parties can read more about the new launch here.