Qualys Community

1040 posts

Qualys Cloud Platform 2.14 New Features

A new release of the Qualys Cloud Platform includes several new platform features and also includes new versions of the following modules:

Continue reading …

WAS 4.8 Features Vulnerability Retest Function and Finding Severity Customization

We are pleased to announce Qualys Web Application Scanning 4.8 (WAS) featuring quick and easy vulnerability retest functionality, without having to launch a full scan; and the ability to customize the severity of findings to meet your business needs.

Continue reading …

How to Avoid Account Lockouts When Scanning Web Applications

Organizations that use automated scanners to test the security of their web apps must watch out for instances where these tools may trigger user account lockouts inadvertently.  Here we explain why this occurs and offer some tips for how to prevent this from happening with Qualys Web Application Scanning (WAS).

Continue reading …

SSL Labs in 2016 and Beyond

In early 2009, SSL Labs was just this idea I had, born out of frustration with having to deal with a very complex subject without good documentation and tools. I wanted something that worked for me, and didn’t really anticipate that it could become as popular as it is today. The first version launched in the summer of that same year.

Continue reading …

Update: Patch Tuesday May 2016

Update: Adobe released the patch for Adobe Flash that addresses the current 0-day CVE-2016-4117 in APSB16-15. It also patches another 24 vulnerabilities that are mostly rated critical. Patch as quickly as possible. Chrome and Internet Explorer 11/Edge users will get their patches from Google and Microsoft automatically.

Original: Today is the second Tuesday of the month, when both Microsoft and Adobe publish the security updates to their products – the so-called Patch Tuesday.

But before we get into the details of their updates for the month (17 in all) let’s reiterate the urgency of another vulnerability that might have slipped by you. The popular open source program ImageMagick is currently under active attack on the Internet. Vulnerability CVE-2016-3714 (called ImageTragick in the associated vulnerability branding campaign) allows for remote code execution (RCE) through image uploads. At the moment no patch is available, but a workaround has been published that neutralizes current attacks. We recommend the same thing the attackers are doing: scan your infrastructure for occurrences of ImageMagick and then apply the workaround in the policy.xml file. I did this immediately on my sites, even though I use ImageMagick only in commandline mode for thumbnail creation. BTW, the workaround has become more complete over the last 2 weeks, so it is worth taking another look even if you have applied it already…

Continue reading …

Protect Your Systems Against SAMSAM and Prove the Value of Cyber Security to Your Organization

By now, security pros everywhere have heard about SAMSAM, the sinister ransomware attack that exploits years-old vulnerabilities in JBoss and has hit hospitals particularly hard. The spread and “success” of SAMSAM shines the spotlight on the well-known infosec problem of prioritizing vulnerability remediation work.

Continue reading …

OpenSSL CVE-2016-2107 Grading Update

We are releasing an update to the grading criteria, version 2009m, to respond to the discovery of the OpenSSL vulnerability CVE-2016-2107 announced in the OpenSSL Security Advisory [3rd May 2016]. This vulnerability can be exploited by MITM attacker using a padding Oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI.

Continue reading …

How Ignoring Low-Level Security Risks Can Open the Door to Major Attacks

With the rise in attacks against web applications, cyber security teams naturally have prioritized the elimination of high-risk threats, such as SQL injections and cross-site scripting (XSS) vulnerabilities. The flip side of this is that many cybersecurity teams choose to ignore or delay the remediation of low-level security vulnerabilities in their web applications. Unfortunately, this isn’t a wise strategy. Underestimating the importance of fixing low-level security issues could create a major problem for an organization. Why? By exploiting a combination of seemingly trivial vulnerabilities, attackers can sometimes open up a big security gap that lets them do extreme damage. In this article, I will demonstrate such a scenario, showing how by taking advantage of several unfixed low-level security issues, an attacker could gain full administrator access to a popular web application.

Continue reading …

Oracle Critical Patch Update April 2016

This week Oracle released their quarterly Critical Patch Update (CPU) for April 2016. The CPU addresses 136 vulnerabilities in 49 products, including Java, Solaris, several middleware products, VirtualBox, the MySQL database and the original Oracle database.

Continue reading …