The Qualys Training team is eager to share all of the recent additions to our free training program, as well as provide insight into what is coming in 2019. You can expect to see regular updates as we continue to improve our training offerings!

It is our mission to help Qualys customers and partners become more familiar with the entire portfolio of Qualys Cloud Apps, learn key workflows and adopt best practices. To help guide you, we are creating Learning Paths which take you from fundamentals through advanced topics, and ensure you have a complete foundation in Qualys technology.

Continue reading …

Two QIDs will be marked as PCI Fail on May 1, 2019 as required by ASV Program Guide:

• QID 38601 “SSL/TLS Use of Weak RC4 Cipher”
• QID 42366 “SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)”

Continue reading …

We are pleased to announce that the Qualys WAS Jenkins plugin v2 is now available.  This version of the plugin introduces new features to facilitate automation, and a more user-friendly design.

Continue reading …

This month’s Patch Tuesday addresses 65 vulnerabilities, with 18 of them labeled as Critical. Thirteen of the Critical vulns are for scripting engines and browser components, impacting Microsoft browsers and Office. Three remote code execution (RCE) vulnerabilities are patched in the Windows DHCP Client, as well as an RCE vuln in Windows Deployment Services TFTP Server and Privilege Escalation in Microsoft Dynamics 365. Adobe’s release is light, with only two CVEs patched in Photoshop CC and Digital Editions.

Continue reading …

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

The January release includes the following new policy and updates:

• New CIS Benchmark for Ubuntu and PostgreSQL
• Updates to almost 60 existing library policies

Qualys’ Certification Page at CIS has been updated.

Continue reading …

This release of the Qualys Cloud Platform version 2.37 includes updates and new features for Security Assessment Questionnaire and Web Application Scanning, highlights as follows.

Continue reading …

Qualys has just launched a global IT asset inventory solution that offers full visibility across even the most hybrid, complex and distributed IT environments, addressing a challenge many security and IT teams face today.

When IT directors and CISOs look at their digitally transformed networks, they encounter many shadows that their legacy enterprise software tools can’t illuminate. These blind spots often include cloud workloads, containers, IoT systems, mobile devices, remote endpoints, and Operational Technology wares.

Because full visibility is essential for security, this foggy, fragmented view of a network makes the organization vulnerable to cyber attacks. Qualys Global IT Asset Inventory (AI) provides complete, continuous, structured and enriched asset inventory in hybrid environments.

“This is a really big deal because it’s the basis of security: If you don’t know what you have, you can’t secure it,” says Qualys Chief Product Officer Sumedh Thakar.

Justin Bendl, Senior Manager for Security & Compliance at Federal Home Loan Bank of Pittsburgh, says that Qualys AI has begun to assist the bank in expanding automation that provides real-time visibility into the completeness and accuracy of software assets.

“This automation is enhancing the bank’s overall control environment and further mitigating risks in a proactive manner,” Bendl says.

Philippe Courtot, Qualys Chairman and CEO, highlights the benefits of Qualys AI’s full integration with the Qualys Cloud Platform. “You will know instantly what assets connect to your network, and be able to assess their security and compliance posture in real-time, giving you unprecedented and essential visibility,” says.

Read on to learn more details about Qualys Global IT Asset Inventory and the use cases it’s designed for.

Continue reading …

This month’s Patch Tuesday is very large, with 74 vulns being addressed of which 20 are labeled as critical. Fifteen of these critical vulns are in the Scripting Engine and browsers, with the remainder being GDI+, SharePoint, and DHCP. Microsoft also issued an Advisory for an Exchange 0-day, along with a patch for one of the two reported vulns. Adobe also released updates for Acrobat/Reader, Flash, Coldfusion, and Creative Cloud.

Continue reading …

Despite the huge advantages that containers offer in application portability, acceleration of CI/CD pipelines and agility of deployment environments, the biggest concern has always been about isolation. Since all the containers running on a host share the same underlying kernel, any malicious code breaking out of a container can compromise the entire host, and hence all the applications running on the host and potentially in the cluster.

That fear of container isolation failing to hold up turned out to be true yesterday when a vulnerability in runC was announced. runC is the key and most popular software component that most container engines rely on for spinning up containers on a host. The announced vulnerability allows an attacker to break out of the container isolation through a well-crafted attack (technical details of the vulnerability and the exploit are at https://seclists.org/oss-sec/2019/q1/119) and compromise the entire host. The vulnerability is particularly nasty because it is not covered by the default AppArmor or SELinux kernel-enforced sandboxing policies.

Continue reading …

Today we’re starting a blog series focused on how to integrate Qualys solutions into DevSecOps for securing cloud infrastructures. In this initial post, we’ll discuss the importance of assessing vulnerabilities and misconfigurations on AWS pipelines.

When developing golden Amazon Machine Images (AMIs), DevOps teams should run continuous and automated checks to eliminate vulnerabilities and misconfigurations in them. It’s a critical security and compliance practice that Qualys recommends its customers adopt. 

To that end, Qualys partnered with Amazon to integrate the AWS Golden Amazon Machine Image Pipeline reference architecture with Qualys scanners for vulnerability and configuration compliance assessment.

The result: Qualys has just published a GitHub repository and documentation for implementing Qualys scanning of instances in a golden AMI pipeline. This will help customers detect and fix critical vulnerabilities and compliance issues in the image creation pipeline, before they reach production environments.

Continue reading …