Qualys Blog

www.qualys.com
1113 posts

Announcing the Qualys Customer Portal

Qualys Customer Support now offers a Customer Support Portal, which will be available to most customers before the end of the 2016. The Support Portal can be used to interact with the Customer Support team in multiple ways. It allows customers to create and manage cases, export the entire case history, interact with Qualys Support, and Search articles that can help solve issues and educate users on how to use the Qualys product.

Continue reading …

SANS Survey Report: Organizations’ Continuous Monitoring Programs Must Keep Maturing to Yield Full Benefits

Organizations worldwide have expanded and sharpened their continuous monitoring (CM) programs over the past year, but their adoption of this key set of security practices remains far from perfect.

That’s the main finding from the SANS Institute’s second annual survey on CM programs titled “Reducing Attack Surface” and published Nov. 2016.

Despite tangible improvements, CM “still has a way to go to attain the maturity needed to become a critical part of an organization’s business strategy,” reads the study, which polled almost 300 Infosec and IT pros actively involved in vulnerability assessment and remediation.

Continue reading …

Qualys Cloud Suite 8.9.1 New Features

This new patch release of the Qualys Cloud Suite, version 8.9.1, includes updates for Cloud-based scanner deployments, VM Reporting Enhancements, and expanded platform coverage for PC.

Cloud Platform: Added EC2 Proxy Server support for the connector and the ability to identify the provider for scanners deployed in cloud environments such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Vulnerability Management: Improvements from customer requests for a number of VM Reports and ability to set reopen date for Remediation Tickets.

Policy Compliance: Expanded platform coverage for Microsoft IIS 10, Pivotal Webserver 6, Docker and Windows Server 2016.

Continue reading …

Qualys Cloud Platform 2.19 New Features

Qualys Cloud Platform release 2.19 includes updates and new features for:

  • Cloud Agent Platform (Version 2.0.0)
  • Web Application Scanning (Version 4.13.0)

Continue reading …

Per-Protocol Cipher Suite Detection in SSL Labs

Just a couple of days ago SSL Labs started showing multiple certificates when they are configured for the same host, and we now have another useful feature lined up—per protocol cipher suite testing. When I started working on SSL Labs in 2009, everyone had the same cipher suite configuration, no matter what protocol version was used. In the years that followed we had various security issues in earlier protocol versions, and the ability to configure per-protocol cipher suites slowly started to find its way into libraries. Today, different suites for different protocols is still not very common, but not rare any more.

Continue reading …

Web and Mobile Apps Often Hide Complex Maze of Insecure Connections

To stay secure, organizations must gain control and visibility over their app landscape

For many years, Jason Kent used a good old-fashioned remote control clicker to open and close his garage door, but the mechanism recently got “appified” so he became curious about its security.

His interest isn’t surprising. After all, Kent is Qualys’ Vice President of Web Application Security, so this topic is near and dear to his heart, and it’s fair to say he knows a thing or two about these matters.

To appease his curiosity, he donned a black hoodie because, as he explained at RSA Conference 2016 Abu Dhabi in mid-November, “you have to look the part when you’re hacking IoT,” and he sat in his driveway to try to break into the app.

“I looked at the communication from my mobile app to my garage door through the cloud. I broke into the communication. I crafted a packet in my laptop. And the door opened,” he said during his presentation titled “Security in the App Era: Building Strength for an Interconnected World.”

Continue reading …

As Web Apps Become Top Data Breach Vector, Protecting Them is Critical

There’s one thing that businesses, their customers and cyber criminals have in common: They all love web applications. The reasons for their affection, of course, vary.

Web apps add agility to organizations’ operations such as sales, marketing and customer support, and make business transactions more convenient for customers. Meanwhile, hackers salivate at web apps’ often porous attack surfaces and at their links to backend databases full of confidential information.

With web apps now a key tool for millions of businesses, as well as a major target for criminals, a troubling trend is emerging: The number of successful attacks against them is rising, along with the costs to recover from the resulting data breaches.

As web services power digital transformations in B2B and B2C e-commerce, mobility, IoT and cloud computing, organizations must prioritize web app protection, which infosec teams have historically overlooked.

Continue reading …

SSL Labs Now Showing Multiple Certificate Chains

When we designed the SSL Labs report originally, we allowed room for only one certificate per server. Even though it was technically possible to support multiple certificates for a single host, only a small number of web servers supported it and nobody was actually doing it. Why would they… RSA worked well and cryptography wasn’t as important as it is today.

But, over the years, people started deploying RSA and ECDSA certificates in parallel. These days, many web servers support this option and it’s not at all uncommon to find such web sites. Now, SSL Labs has always been collecting all observed certificates, but they were not shown in the report. When we started to work on the v3 API, we made changes to expose all the certificates. Now, finally (as of 1.25.2), they appear in the main report as well.

To accommodate the additional certificates we made to make some changes to the page design. SSL Labs report was very long even before this change and adding more certificates would mean much more data. So, in an attempt to show less, we’ve taken a decision to hide certificate trust paths by default. We think this is information that most people won’t look for anyway, and those who do can still find it.

This change marks another milestone; for the first time, SSL Labs requires JavaScript for its full functionality. I know, it’s not really relevant, but still. For a really long time I liked the idea of providing a useful service without having to use any “bells and whistles”. But we move on!

BAI Security Eyes Threat Prioritization as Competitive Differentiator

BAI Security, a nationally-recognized security consultancy specializing in highly regulated industries, sees a big opportunity to further differentiate itself: threat prioritization.

Helping its customers pinpoint which vulnerabilities they must remediate right away is a natural expansion of the security auditing and compliance services it provides, such as breach risk, compromise and comprehensive IT security assessments.

“A lot of our competitors are just providing the vulnerability details without a lot of prioritization based on real world exploit activity,” says Michael Bruck, President and CTO of BAI Security.

At best, many security consultancies offer rudimentary prioritization analysis that, while better than nothing, still leaves customers with a lot of manual risk analysis on their hands. “So many organizations have dozens if not hundreds or thousands of ‘level 4’ and ‘level 5’ vulnerabilities,” Bruck says. “For IT departments with limited resources, tackling that is a huge challenge.”

Continue reading …

Announcing SSL Labs Grading Changes for 2017

At SSL Labs, we have a major review of our grading criteria about once a year. As the security of the ecosystem matures, our goal is to push forward and make the requirements [for a good grade] stricter. In many ways, this process of continuous improvement is what really matters to us.

According to our measurement in SSL Pulse, over 40% of the monitored sites have configuration that can be considered good. However, only about 3% of those get an A+, which is what everyone should be aiming for. So our goal with the design of the grading criteria is to push the number of A+ sites up.

In this blog post we will announce our short-term changes as well as outline some further changes that we will be making in 2017 and beyond. From the list below, the 3DES grading change will happen first. Other changes will follow. The main purpose of this blog post is to outline our grading directions so that organisations can start to plan their improvements.

Continue reading …