Back to qualys.com
1299 posts

DevSecOps: Practical Steps to Seamlessly Integrate Security into DevOps

To properly and effectively protect DevOps pipelines, organizations can’t blindly apply conventional security processes they’ve used for traditional network perimeters. Since DevOps’ value is the speed and frequency with which code is created, updated and deployed, security must be re-thought so that it’s not a last step that slows down this process.

Hampering the agility of DevOps teams has terrible consequences. These teams produce the code that digitally transforms business tasks and makes them more innovative and efficient. Thus, it’s imperative for security to be built into — not bolted onto — the entire DevOps lifecycle, from planning, coding, testing, release and packaging, to deploying, operating and monitoring.

If security teams take existing processes and tools, and try to jam them into the DevOps pipeline, they’ll break the automation, agility and flexibility that DevOps brings. 

“This doesn’t work,” Qualys Vice President of Product Management Chris Carlson said during a recent webcast, in which he explained how security teams can seamlessly integrate security into DevOps using Qualys products.

Continue reading …

Securing the Hybrid Cloud: A Guide to Using Security Controls, Tools and Automation

When a bank recently created a consumer mobile wallet, it built the entire project — from development to deployment — in the cloud, an increasingly common decision among enterprises.

A less common step taken by this multinational bank and Qualys customer was incorporating the security team from day one. It recognized that the safety of the application was as critical for its success as its feature functionality.

In doing so, this bank tackled a challenge that organizations face as they move workloads to public cloud platforms: Protecting these new cloud workloads as effectively as their on-premises systems, but with processes and tools that are effective in both environments.

In a recent webcast, SANS Institute and Qualys experts addressed this issue in detail, offering insights and recommendations for security teams faced with protecting hybrid IT infrastructures’ assets on premises and in public clouds.

Cloud adoption triggers new security needs

In pursuit of digital transformation benefits, organizations are aggressively moving more workloads to public clouds, expanding from straightforward software-as-a-service (SaaS) applications to more involved platform- and infrastructure-as-a-service (PaaS and IaaS) deployments.

As this happens, InfoSec teams find that safeguarding these environments can be complex. “Security teams have rallied around the idea that this is something they need to live with,” Dave Shackleford, a SANS analyst and instructor, said during the webcast.

Continue reading …

What we’ve got here is failure to communicate: OS vendors misread CPU docs, create flaw

In a memorable scene from “Jumpin’ Jack Flash,” Whoopi Goldberg struggles to understand the lyrics of the eponymous song from the Rolling Stones, as she pleads: “Mick, Mick, Mick, speak English!”

It appears that multiple operating system vendors had similar trouble interpreting Intel and AMD debugging documentation, which led the OS vendors to independently create the same critical security flaw in their respective kernel software.

The issue came to light last week when US-CERT (United States Computer Emergency Readiness Team) warned that under certain circumstances “some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception.”

“The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV to SS and POP to SS,” the CERT alert reads.

The list of OS vendors affected reads like an industry “who’s who.” It includes Apple, Microsoft, Red Hat, VMware, Ubuntu, Xen and SUSE Linux. The problem was discovered by researcher Nick Peterson of Everdox Tech, who has detailed the flaw in a paper titled “POP SS/MOV SS Vulnerability.”

Continue reading …

May 2018 Patch Tuesday – Medium Weight, However One Active Exploit Needs Attention

Microsoft and Adobe LogosThis May’s Patch Tuesday has quite a few Microsoft fixes for both the OS and browsers.  In all, 67 unique CVEs are addressed in 17 KB articles, with 21 CVEs marked Critical.  32 of these CVEs reference Remote Code Execution, 19 of which are Critical. Those who use Hyper-V have some updates to pay attention to as well.

Continue reading …

Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers

The cyber security news cycle is always active, so to help you stay in the loop here’s a selection of incidents that caught our attention over the past week or so involving, among others, Twitter, Cisco and GPON routers.

Twitter picks a good day for password-change call

As “change your password” calls from vendors go, the one from Twitter last week ranks right up there, and not just because of the scope of users involved. As Jon Swartz pointed out in Barron’s, Twitter’s alert went out on Thursday, which happened to be World Password Day.

The social media juggernaut reached out to all of its 330 million users and advised them to take a moment, go to their account settings page and enter a new password. Twitter also suggested they enable Twitter’s two-step verification feature, a move strongly endorsed by Forbes’ Thomas Fox-Brewster. In addition, Twitter recommended that users change their password on any other online services where they used their Twitter password. (It bears repeating: It’s a bad idea to re-use passwords.)

The reason for the brouhaha: An IT slip-up caused user passwords to be stored in plain text in an internal Twitter log. Twitter’s security policy is to instead mask passwords using the “bcrypt” hashing technique. That way, passwords are stored on Twitter systems as a string of random characters.

Continue reading …

How To Prioritize Vulnerabilities in a Modern IT Environment

Here’s a stat that shows the importance of prioritizing vulnerability remediation: Almost 30% of the CVEs disclosed in 2017 had a CVSS score of “High” or “Critical.” That works out to about 3,000 such vulnerabilities, or about 58 every week.

Given this large number of severe vulnerabilities, it’s critical for IT and security teams to make a deeper assessment of the risk they represent in the context of their organizations’ IT environment.

If they identify the vulnerabilities that pose the highest risk to their organization’s most critical assets, they’ll be able to prioritize remediation accordingly and eliminate the most serious and pressing threats to their IT environment.

However, as evidenced by the long list of major breaches caused by unpatched vulnerabilities, it’s hard for many businesses, government agencies and not-for-profit organizations to prioritize remediation consistently and accurately.

“One of the big challenges that we have as security professionals is trying to stay on top of our vulnerability management,” Josh Zelonis, a Forrester Research analyst, said during a recent webcast.

Zelonis, who cited the CVE stat during the webcast, said that, according to a 2017 Forrester survey of global businesses, 58% of them experienced at least one breach in the previous 12 months. Among those, 41% of the breaches were carried out by exploiting a vulnerability.

“This is really representative of the problems we’re seeing in the industry with prioritization and getting patches deployed, and this is only increasing,” he said.

“In a post-Equifax world, VM is coming under increased scrutiny,” Zelonis added, alluding to the massive data breach suffered by the credit reporting agency in 2017 after hackers exploited the Apache Struts vulnerability (CVE-2017-5638), which had been disclosed about six months before.

Read on to learn valuable best practices for prioritizing remediation, and how Qualys can help your organization overcome this critical challenge.

Continue reading …

Gaining Control over Your Digital Certificates

Digital certificate management is in an inadequate state at most organizations, a serious problem, considering that SSL/TLS certificates are critical for a host of e-business functions.

“If you’re doing something on the Internet, you’re using SSL,” Asif Karel, a Qualys Director of Product Management, said at the RSA Conference 2018.

Specifically, digital certificates are used to ensure the confidentiality, authenticity, integrity and non-repudiation of public-facing online services, internal services, machine-to-machine communications, public cloud services and API integrations.

During his presentation, Karel outlined the current challenges organizations face with certificate visibility, and explained how Qualys can help with CertView, a free app available now.

Continue reading …

When Preparing for GDPR, Don’t Neglect Public Cloud Security

With organizations aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, protecting these environments is critical for compliance with the EU’s General Data Protection Regulation (GDPR).

These public cloud platforms are being used to power digital transformation initiatives across a wide variety of business functions, including supply chain management, customer support, employee collaboration, sales and marketing.

In all of these business tasks that are being digitally transformed in the cloud, customer personal data regulated by GDPR is likely to be stored, processed and shared.

Continue reading …

Orangeworm Targeting Healthcare Industry since 2015 Now Exposed

Operating since 2015, a threat group dubbed Orangeworm has been newly attributed to hacking and infiltrating healthcare groups around the world.  Companies specifically targeted include hospitals, healthcare providers, pharmaceuticals, IT services firms serving the healthcare industry, and more.  (Healthcare Informatics Institute describes this in more detail.)

The victims are specific, targeted, and global with 17% of victims in the US, 7% in India, 7% in Saudi Arabia, 5% in Philippines, 5% in Germany, Hungary and United Kingdom, with seventeen other countries each with 2% of infections.  Analysts are still investigating the campaign tactics, techniques, and procedures (TTPs) of the Orangeworm group to determine their objectives whether espionage of the medical systems themselves, to steal patient data, or potential future sabotage or ransom.

Continue reading …

Qualys WAS Introduces Swagger Support for REST API Security Testing

In the world of application security, testing REST APIs for security flaws is important because APIs can have many of the same application-layer vulnerabilities as browser-based web applications. Examples are SQL injection, command injection, and remote code execution. With the recent release of Qualys Web Application Scanning (WAS) 6.0, testing your REST APIs is easier than ever thanks to support for Swagger.

About Swagger

Swagger is a widely-adopted specification that allows for programmatically describing REST APIs. This is accomplished via a Swagger file, which may be in either JSON or YAML format. The Swagger file provides all the details about the APIs and how to invoke them. This includes information like the HTTP verbs to use (GET, POST, PUT, etc.), the URL paths, allowable parameters and types, authentication mechanisms, and so on.

Continue reading …