Qualys Blog

Qualys Beefs Up Cloud Tool for Security Consultants

Posted by Juan C. Perez in Qualys Technology, Uncategorized on September 20, 2016

Like all security consultants, you face intensifying challenges, demands and pressures as your customers’ IT infrastructures become more complex and hackers get more aggressive and effective.

Organizations entrust you with the complex and critical task of making comprehensive and accurate security assessments of their IT environments. Every customer engagement is a high-stakes job.

You must stay abreast of the latest, ever more sophisticated cyber attacks, as well as understand your customers’ increasingly heterogeneous and distributed IT environments. To succeed, it’s not sufficient to rely on your know-how and experience, however vast those might be. You also need the best software tools available to do your job.

Prioritizing Remediation: Plug into the Firehose of Vulnerability Disclosures and Correlate

Posted by Juan C. Perez in Qualys Technology on September 19, 2016

This is part two in a three-part series on prioritizing vulnerability remediation, where we’re explaining five basic requirements for identifying on an ongoing basis which IT assets you must patch right away.

In our first post last week we met Steve, a nightmare-stricken infosec manager who loses sleep over his organization’s inability to manage its IT environment’s vulnerabilities. We also described the first requirement for success: compiling a complete, detailed IT asset inventory.

In this second installment, we’ll spell out two more requirements: Logging the constant stream of vulnerability disclosures; and correlating external threat information with your IT assets’ vulnerabilities.

Patch Tuesday September 2016 Video Highlights

Posted by amolsarwate in The Laws of Vulnerabilities on September 13, 2016

In one of the larger Patch Tuesdays in some time, Microsoft today released 14 security bulletins for desktop OSes, server OSes, browsers, Silverlight, SMBv1, Exchange Server and more. Watch this video to learn how security teams should prioritize patching based on the new bulletins.

Adobe September 2016 Security Update

Posted by amolsarwate in The Laws of Vulnerabilities on September 13, 2016

Today Adobe released three security updates that patched Adobe Flash, AIR and Adobe Digital Editions. Top priority goes to Adobe flash bulletin APSB16-29 which fixes a whopping 29 vulnerabilities. This update applies to Windows, Macintosh, Linux and ChromeOS platforms.

Large Microsoft Patch Tuesday Update for September 2016

Posted by amolsarwate in The Laws of Vulnerabilities on September 13, 2016

It’s September 2016 Patch Tuesday, and Microsoft has released 14 security bulletins that affect a host of components including desktop operating systems, servers, browsers , Exchange server, Silverlight, SMBv1 and several others. It’s a large update that will keep desktop as well as server administrators busy. Seven updates are rated as critical, while the other seven are rated as important. One 0-day vulnerability CVE-2016-3352 which was publicly disclosed earlier is also patched in the MS16-110 bulletin.

8 Comments
Permalink
Tags: edge, exchange, internet explorer, office, patch tuesday, silverlight, smb, vbscript

End the Nightmare of Vulnerability Disclosure Overload: Keep Calm and Prioritize

Posted by Juan C. Perez in Qualys Technology on September 12, 2016

Overwhelmed by the mounds of vulnerabilities in their IT environments, many organizations struggle to prioritize remediation, but you can overcome this challenge with the right approach

Prioritize vulnerability remediation with Qualys ThreatPROTECT so you don't lose sleep.

Steve, an information security manager, is again rattled awake at 3 a.m. by a recurring nightmare: He’s at work and his desk suddenly gets transformed into a mile-long Whack-A-Mole cabinet with thousands of holes. But instead of toy moles, what springs up from the cabinet holes are red square signs, each displaying a different CVE number.

Mallet in hand, a flustered Steve quickly realizes there’s no way he can hit every CVE sign before time runs out. Worse, he gets no points for hitting the ones that pose no threat to his IT assets: He only gets rewarded when he whacks one that could seriously compromise his IT environment.

Qualys Cloud Platform 2.17 New Features

Posted by Tim White in Qualys Technology on September 9, 2016

A new release of the Qualys Cloud Platform release 2.17 which includes updates and new features for:

Cloud Agent Platform (version 1.8.0)
Continuous Monitoring (version 1.16.0)
Security Assessment Questionnaire (version 2.2.0)

No Comments
Permalink
Tags: ca, CM, notification, product news, saq

Qualys Malware Detection 2.11 Time Zone Fix

Posted by fmc in Qualys Technology on September 9, 2016

The release of Qualys Malware Detection (MD) version 2.11 fixes the time zone feature and removes redundant time zones for easier MD scan scheduling capabilities.

Is HTTP Public Key Pinning Dead?

Posted by Ivan Ristic in SSL Labs on September 6, 2016

I have a confession to make: I fear that HTTP Public Key Pinning (HPKP, RFC 7469)—a standard that was intended to bring public key pinning to the masses—might be dead. As a proponent of a fully encrypted and secure Internet I have every desire for HPKP to succeed, but I worry that it’s too difficult and too dangerous to use, and that it won’t go anywhere unless we fix it.

Thwarting SQL Injection: Defense in Depth

Posted by Vaijayanti Korde in Security Labs on August 31, 2016

SQL as a language is vulnerable to injection attacks because it allows mixing of instructions and data, which attackers can conveniently exploit to achieve their nefarious objectives.

The root cause behind successful SQL injection attacks is the execution of user-supplied data as SQL instructions. This classic cartoon illustrates the perils of trusting user inputs, and how they can lead to a successful SQLi attack:

From the webcomic xkcd: