Qualys dashboard screen
770 gradient

Qualys Scan Tool

A vulnerability management tool that allows you to detect, mitigate, and report on security vulnerabilities found in systems and software.

Overview

Qualys Vulnerability Management (VM) scan tool is a commercial network-based application used to scan systems for technical vulnerabilities. The scanner actively probes for vulnerabilities using a multi-level scan with a large database of known security holes to identify common system vulnerabilities many of which are caused by oversights such as misconfiguration or missing patches.

Many of the vulnerabilities are also included in CERT, CIAC, and SANS security organization advisories. New checks for vulnerabilities are added continuously to the scanner.

Highlights

Vulnerability scanning is only allowed for systems for which you are specifically authorized (e.g., your unit if that is your responsibility). University Information Security is the only unit authorized to scan throughout the University of Minnesota network.

Scans and reporting are self-managed by University units. The process includes:

  • Maintain list of IP addresses -- identify systems by IP address either individually or group into asset groups
  • Schedule scan -- schedule vulnerability scans at least monthly for systems in your unit. Recommend scheduling weekly scans.
  • Review results -- review the scan results. If high-severity vulnerabilities are found, fix the vulnerability or document why the vulnerability cannot be fixed or does not pertain.
  • Re-scan if necessary -- schedule re-scans to determine if the vulnerabilities have been fixed.
  • Use remediation tickets -- document false positives and remediation fixes that require more time to fix.
  • Run reports -- use various report templates and asset views to produce reports to meet your needs.

See the University Technical Vulnerability Management standard in the Information Security Policy for current requirements on frequency of vulnerability scanning and whether remediation is required or recommended.

University Information Security coordinates the external vulnerability scan for systems and network devices that are in scope for the credit card data environment (CDE). These scans meet the Payment Card Industry (PCI) Scanning (PDF) requirement.

Getting Started

Intended Audience

Students
Instructors
Researchers
Staff & Departments

Cost

University-funded: no charge.