Qualys Cloud Platform 2.37 New Features
This release of the Qualys Cloud Platform version 2.37 includes updates and new features for Security Assessment Questionnaire and Web Application Scanning, highlights as follows.
1387 posts
Know What’s on Your Network at All Times with Qualys Asset Inventory
Qualys has just launched a global IT asset inventory solution that offers full visibility across even the most hybrid, complex and distributed IT environments, addressing a challenge many security and IT teams face today.
When IT directors and CISOs look at their digitally transformed networks, they encounter many shadows that their legacy enterprise software tools can’t illuminate. These blind spots often include cloud workloads, containers, IoT systems, mobile devices, remote endpoints, and Operational Technology wares.
Because full visibility is essential for security, this foggy, fragmented view of a network makes the organization vulnerable to cyber attacks. Qualys Global IT Asset Inventory (AI) provides complete, continuous, structured and enriched asset inventory in hybrid environments.
“This is a really big deal because it’s the basis of security: If you don’t know what you have, you can’t secure it,” says Qualys Chief Product Officer Sumedh Thakar.
Justin Bendl, Senior Manager for Security & Compliance at Federal Home Loan Bank of Pittsburgh, says that Qualys AI has begun to assist the bank in expanding automation that provides real-time visibility into the completeness and accuracy of software assets.
“This automation is enhancing the bank’s overall control environment and further mitigating risks in a proactive manner,” Bendl says.
Philippe Courtot, Qualys Chairman and CEO, highlights the benefits of Qualys AI’s full integration with the Qualys Cloud Platform. “You will know instantly what assets connect to your network, and be able to assess their security and compliance posture in real-time, giving you unprecedented and essential visibility,” says.
Read on to learn more details about Qualys Global IT Asset Inventory and the use cases it’s designed for.
February 2019 Patch Tuesday – 74 Vulns, 20 Critical, Exchange 0-day, Adobe Vulns
This month’s Patch Tuesday is very large, with 74 vulns being addressed of which 20 are labeled as critical. Fifteen of these critical vulns are in the Scripting Engine and browsers, with the remainder being GDI+, SharePoint, and DHCP. Microsoft also issued an Advisory for an Exchange 0-day, along with a patch for one of the two reported vulns. Adobe also released updates for Acrobat/Reader, Flash, Coldfusion, and Creative Cloud.
RunC Container Breakout Vulnerability
Despite the huge advantages that containers offer in application portability, acceleration of CI/CD pipelines and agility of deployment environments, the biggest concern has always been about isolation. Since all the containers running on a host share the same underlying kernel, any malicious code breaking out of a container can compromise the entire host, and hence all the applications running on the host and potentially in the cluster.
That fear of container isolation failing to hold up turned out to be true yesterday when a vulnerability in runC was announced. runC is the key and most popular software component that most container engines rely on for spinning up containers on a host. The announced vulnerability allows an attacker to break out of the container isolation through a well-crafted attack (technical details of the vulnerability and the exploit are at https://seclists.org/oss-sec/2019/q1/119) and compromise the entire host. The vulnerability is particularly nasty because it is not covered by the default AppArmor or SELinux kernel-enforced sandboxing policies.
Assess Vulnerabilities, Misconfigurations in AWS Golden AMI Pipelines
Today we’re starting a blog series focused on how to integrate Qualys solutions into DevSecOps for securing cloud infrastructures. In this initial post, we’ll discuss the importance of assessing vulnerabilities and misconfigurations on AWS pipelines.
When developing golden Amazon Machine Images (AMIs), DevOps teams should run continuous and automated checks to eliminate vulnerabilities and misconfigurations in them. It’s a critical security and compliance practice that Qualys recommends its customers adopt.
To that end, Qualys partnered with Amazon to integrate the AWS Golden Amazon Machine Image Pipeline reference architecture with Qualys scanners for vulnerability and configuration compliance assessment.
The result: Qualys has just published a GitHub repository and documentation for implementing Qualys scanning of instances in a golden AMI pipeline. This will help customers detect and fix critical vulnerabilities and compliance issues in the image creation pipeline, before they reach production environments.
Qualys Policy Compliance Notification: Policy Library Update
Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.
In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.
Qualys Cloud Platform 2.36 New Features
This release of the Qualys Cloud Platform version 2.36 includes updates and new features for AssetView (Cloud Assets and Cloud Agents) and Web Application Scanning, highlights as follows.
Policy Compliance Adds UDC Support for Cloud Agent
Qualys is extending the Cloud Agent capabilities for users of the Policy Compliance (PC) application by letting them define controls.
Until now, the Cloud Agent could only assess Qualys PC’s “out of the box” controls. By adding support for user defined controls (UDC), Qualys PC users now can use Cloud Agents to evaluate those types of controls. UDCs allows users to create their own controls dynamically, as needed, without having to submit control requests to Qualys development.
The UDC controls you’ve already defined in your Qualys Policy Compliance account for compliance scanning will also be evaluated by Qualys Cloud Agent with no action required from you.
Qualys Cloud Platform (VM, PC) 8.17 New Features
Qualys Cloud Platform (VM, PC) version 8.17 contains various feature enhancements in Qualys Vulnerability Management and Qualys Policy Compliance. In addition, this release also lowers the time required before pausing or canceling an ongoing scan. Previously, scheduled scans could be cancelled or paused after a minimum of one hour from its start time.
mod_ssl Bug and SSL Labs Renegotiation Test
Update February 20, 2019: To give more time to fix, we will re-enable the SSL Labs Renegotiation Test on March 11, 2019 (two additional weeks).
The Apache Security Team fixed a bug which triggers whenever a client attempts renegotiation with Apache HTTP Server 2.4.37 and OpenSSL 1.1.1. This bug causes the Apache httpd service to consume 100% CPU. Details of the bug can be found at: https://bz.apache.org/bugzilla/show_bug.cgi?id=63052
Local testing by Qualys confirms that the SSL Labs renegotiation test triggers this bug for the above-mentioned server configuration, and can be used to cause the Apache httpd service on a target system to consume 100% CPU.
To allow Apache users time to apply the fix, SSL Labs has disabled the Renegotiation Test for one month, and we will re-enable it on February 25, 2019. While the test is disabled, users will not see the following in SSL Labs reports:
Acknowledgements
We would like to thank the Apache Security Team for working with us on this issue.