Back to qualys.com
1369 posts

Capital One: Building Security Into DevOps

Capital One prides itself on staying at the forefront of IT innovations to give its business a competitive edge.

For example, it adopted Agile software-development methodologies years ago, and uses artificial intelligence and machine learning. It was the first bank to implement a mobile wallet with “contactless” NFC payments, and to offer voice-activated financial transactions using Amazon’s Alexa. When 2018 ends, Capital One expects 80% of its IT infrastructure to be cloud based, allowing it to go from seven to two data centers.

Given its tech transformation track record, it’s not surprising that Capital One has embraced DevSecOps, embedding automated security checks into its DevOps pipeline. This effort has dramatically accelerated the process of assessing vulnerabilities and mis-configurations in its virtual machine images and containers.

As a result, the code created in the DevOps pipeline is certified as secure and released to production without unnecessary delays. This allows Capital One — one of the United States’ 10 largest banks, based on deposits — to consistently boost its business across the board by quickly and continuously improving its web properties, mobile apps, online services and digital offerings.

“This has provided a huge benefit to the entire company,” said Emmanuel Enaohwo, Senior Manager for Vulnerability/Configuration Management at Capital One, a Fortune 500 company based in McLean, Virginia that offers a broad spectrum of financial products and services to consumers, small businesses and commercial clients.

Read on to learn how the bank has automated vulnerability and compliance checks in its CI/CD software pipeline, helped by Qualys.

Continue reading …

Infosec Teams Race To Secure DevOps

With DevOps adoption spreading, infosec teams are scrambling to address the new security challenges stemming from DevOps’ accelerated code development and app deployment. But while IT organizations have made notable progress adapting security to their DevOps processes, work remains to be done.

That’s a key finding from SANS Institute’s “Secure DevOps: Fact or Fiction” report, which was discussed recently in a two-day webcast (Part 1 & Part 2) co-sponsored by Qualys. A revealing statistic: Under 50% of respondent organizations have fully “shifted left” to embed security throughout their DevOps pipelines, a figure that should be higher.

“Security is still being built in at the end, whereas risk reduction should start earlier in the software development lifecycle,” said Barbara Filkins, a SANS analyst. With security in the early stages of application design, “we can eliminate many issues that we’d see at the back end,” she said.

Threading security throughout DevOps also preserves the benefits of continuous and quick software delivery, like improved customer support and employee productivity. 

“As a DevOps engineer, you’re looking to automate security at the speed of what business needs,” said Qualys Product Management Director Hari Srinivasan.

“The goal is enabling a transition from DevOps to secure DevOps that is factual, not fiction,” Filkins said.

Read on to learn about DevSecOps challenges, best practices and case studies.

Continue reading …

Qualys Cloud Platform 2.35 New Features

This release of the Qualys Cloud Platform version 2.35 includes updates and new features for AssetView, Cloud Agent, Security Assessment Questionnaire, and Web Application Scanning, highlights as follows.  (Note: this post has been edited after publishing to remove the Azure Cloud Connector, which will be available in a subsequent release.)

Continue reading …

QSC18 Takeaway: Complex Environments Demand Visibility and Real-Time Security

If there were two important takeaways from this year’s Qualys Security Conference year they would be how today’s complex hybrid environments are demanding security teams find ways to increase visibility into the state of their security posture and be able to quickly mitigate new risks as they arise.

With their respective keynotes, both CEO Philippe Courtot and Qualys chief product officer Sumedh Thakar showed just how sophisticated today’s environments have become. Today, all but the most straightforward environments consist of multiple cloud services, virtualized workloads, and traditional on-premises systems; and hundreds of application containers, microservices, and serverless functions.

Continue reading …

SSL Labs Grade Change for TLS 1.0 and TLS 1.1 Protocols

Update 11/30/18: Now live on ssllabs.com: In Configuration->Protocols section “TLS 1.1” text color will be changed to Orange by end of November 2018

TLS 1.0 and TLS 1.1 protocols will be removed from browsers at the beginning of 2020. As there are no fixes or patches that can adequately fix SSL or deprecated TLS, it is critically important that organizations upgrade to a secure alternative as soon as possible.

Various Browser clients have provided approximate deadlines for disabling TLS 1.0 and TLS 1.1 protocol:

Browser Name Date
Microsoft IE and Edge First half of 2020
Mozilla Firefox March 2020
Safari/Webkit March 2020
Google Chrome January 2020

 

Continue reading …

QSC18: API Security, Enabling Innovation Without Enabling Attacks and Data Breaches

Without APIs, it would be near impossible to see enterprises being able to digitally transform themselves. After all, APIs are the connective-tissue between applications and systems and they make the management, automation and consumption of technology possible at scale. APIs are what enable organizations to liberate data from their applications, improve integration, and standardize how claims and information is governed.

However, what about the associated API security risks? That’s the subject Gartner analyst Mark O’Neill tackled in his presentation, API Security: Enabling Innovation Without Enabling Attacks and Data Breaches at Qualys Security Conference 2018. O’Neill sees API vulnerabilities as a serious enterprise risk in the years ahead. In fact, by 2020, he predicts API abuses will be the most frequent attack vector that results in data breaches for enterprise web applications. “We see more and more APIs as a threat vector,” O’Neill said.

Attackers go after APIs, O’Neill said, because they’re a direct way to valuable data and enterprise resources. In addition to stealing data, APIs are also susceptible to other forms of attack, such a denial-of-service attacks, O’Neill said.

So what can organizations do to better secure their APIs and the resources and information they expose?

Continue reading …

QSC18 Day 1 Takeaway: Continuous Transformation Demands Continuous Security

The first day of Qualys Security Conference 2018 was a big one. Both CEO Philippe Courtot and Qualys chief product officer Sumedh Thakar detailed the challenges faced by many of today’s enterprises when it comes to the growth of cloud and the complexity of their hybrid environments. And they shared their visions of the road ahead on how enterprises can find ways to effectively manage their cloud environments and digital transformation efforts ahead.

A big theme of the day was how cloud security brings complexity and lack of visibility into modern environments.

Additionally, Qualys VP of engineering Dilip Bachwani provided a look at how the Qualys Cloud Platform is built to scale and perform; Jimmy Graham spoke on obtaining real-time vulnerability management, and attendees learned how to better secure their cloud deployments, containers, and web applications.

Continue reading …

QSC18: The Need for Security Visibility in the Age of Digital Transformation

Enterprises are moving full steam ahead when it comes to their digital transformation efforts. They’ve aggressively adopted cloud infrastructure and other cloud services, IoT, application containers, serverless functionality, and other technologies that are helping their organization to drive forward.

Those organizations that are way down the road in their digital transformation efforts say that they’ve witnessed improved business decision-making – both when it comes to making better decisions and when it comes to making those decisions more rapidly. They also say that they’ve improved their customer relationships by delivering an improved customer digital experience.

So it’s time to celebrate and declare digital victory, right?

Hold off before we book the band and order the champagne for the big party. In fact, those who want to move forward securely and confidently in their risk and regulatory compliance postures have some challenges ahead.

Continue reading …

November 2018 Patch Tuesday – 62 Vulns, TFTP Server RCE, Adobe PoC

Microsoft and Adobe LogosThis month’s Patch Tuesday addresses 62 vulnerabilities, with 12 of them labeled as Critical. Out of the Criticals, 8 are for the Chakra Scripting Engine used by Microsoft Edge. A Remote Code Execution vulnerability in Windows Deployment Services’ TFTP server is also addressed in this release. Adobe also patched three Important vulnerabilities this month, although there is a PoC exploit available for Adobe Acrobat and Reader.

Continue reading …

Welcome to Qualys Security Conference 2018

The rise of cloud computing coupled with DevOps is forcing enterprises to rewrite their cybersecurity playbook, and part of that book will be written this week at Qualys Security Conference 2018 in Las Vegas.

Today, the dual cloud and DevOps mega-trends are helping companies to digitally transform how they build, deploy, and manage all aspects of their business. They’re delivering software and digital services more rapidly, able to respond with more agility to changing business and technological demands through the effective use of automation, machine learning, IoT, and the continuous delivery of new software services and features. This all comes at a price, however.

Continue reading …