Understanding scan result differences for a web application scan and securing a static website

Steve 66 Reputation points
2020-07-27T05:40:33.987+00:00

We have a static website hosted on Microsoft Azure. Our marketing team wanted a easy way to update it so WordPress was installed on Azure, the site was created, marketing team updates it. A WordPress plug-in exports their updates as HTML which is shown on the static website. By not allowing WordPress to constantly run, it reduces our risk of WordPress vulnerabilities.

I scheduled a Qualys web app scan for it and my co-worker also did that next day without seeing the one I scheduled. Both scans are identical and were scanning the same URL for the static website.

My scan results has 25 vulnerabilities whereas his has no vulnerabilities. The system admin who created the static website on Azure told me he did not change anything so no reason for two reports of a website to have such different results.

Both Qualys scanners have same versions for Scanner, WAS and Signatures.

Qualys support is thinking it could be as one Qualys scanner IP might be allowed to scan and other would have been filtered by Azure Security Center, Application Gateway etc.

  1. Do we need to connect with Azure support to whitelist any Qualys IP ranges provided by Qualys support for our static website?
    I was thinking Qualys scanners are well known in the industry so most cloud hosting providers like Azure would have already whitelisted Qualys scanners.
  2. What else could cause the scan results to be so different?
  3. Any security recommendations for hosting a static website on Azure like our case on which our marketing team needs to use Google Analytics, run Google ads promoting the site content but at the same time have geo-blocking so only IPs from U.S. are allowed. All our customers are in U.S. so we want the website to be available for anyone in U.S. only. I understand I can use Front Door for it as explained at https://learn.microsoft.com/en-us/azure/frontdoor/front-door-tutorial-geo-filtering I also realize Application Gateway has lot of protections and I can harden it more using Network Security Group

Thanks

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,930 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. ajkuma 28,036 Reputation points Microsoft Employee Moderator
    2020-07-28T19:08:58.097+00:00

    Welcome to Microsoft Q&A! Thanks for posting the question.

    Firstly, apologies for the delayed response here.

    3.While both Front Door and Application Gateway are layer 7 (HTTP/HTTPS) load balancers, the primary difference is that Front Door is a global service whereas Application Gateway is a regional service. While Front Door can load balance between your different scale units/clusters/stamp units across regions, Application Gateway allows you to load balance between your VMs/containers etc. that is within the scale unit. Based on your scenario you could leverage Front Door, you may check key scenarios why one should use Application Gateway behind Front Door here: https://learn.microsoft.com/azure/frontdoor/front-door-faq

    1 & 2
    Just to highlight, Azure offers several ways to host websites: Azure App Service WebApps (PAAS solution), Virtual Machines (IAAS), Service Fabric, Azure Storage (for static website) and Azure Static Web Apps.

    Kindly see Decision tree for Azure compute services. I’m not sure if you’re running this on VM, if you run the scan again does it show different results or comparable report (to previous scan)? I understand you have already connected with Qualys support on this issue. I have also checked the doc ‘Securing Microsoft Azure with Qualys’ for configuration details. AFAIK, the Configuration aspects for different Azure Services could be different for Qualys scan.
    Note: This response contains a reference to a third-party World Wide Web site. I'm just providing this information as a convenience to you.

    Kindly checkout this document for illustration -Integrated vulnerability scanner for virtual machines (standard tier only).
    What prerequisites and permissions are required to install the Qualys extension?

    You'll need write permissions for any VM on which you want to deploy the extension.
    The Azure Security Center Vulnerability Assessment extension (powered by Qualys), like other extensions, runs on top of the Azure Virtual Machine agent. So, it runs as Local Host on Windows, and Root on Linux.

    During setup, Security Center checks to ensure that the VM can communicate with Qualys's cloud service on the following two IP addresses (via port 443 - the default for HTTPS):
    • 64.39.104.113
    • 154.59.121.74

    If you still need further assistance on this issue, I wish to engage with you offline for a much closer look, please send an email with subject line “Attn:Ajay” to AzCommunity[at]Microsoft[dot]com referencing this thread, Azure subscription ID, I will follow-up with you.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.