Back to qualys.com
1326 posts

SAQ Enables Users to Pick and Choose Questions for Custom Templates

Qualys Security Assessment Questionnaire (SAQ) has been enhanced with new features for questionnaire templates, which enable customers to choose questions that they want to include in their campaigns.

The new Question Bank option in the SAQ Template Editor provides users with a repository of out-of-the-box questions. Qualys SAQ is a licensed user of 2018 Shared Assessments Standardized Information Gathering (SIG) Questionnaire. The Question Bank includes all the questions from the 2018 SIG Questionnaire that can be picked and added to custom templates. This simplifies the process of creating or editing custom templates for internal as well as external vendor assessments.

Additionally, the existing Library option has been enhanced to allow users to browse thru all the existing templates and choose only the required questions to be added to the custom templates. For example, SAQ provides 30+ out-of-the-box templates for NIST 800:53. Now, users can browse across all the 30+ templates and create their own custom template with only those questions that are required for their assessments.

Question Bank for the Ease of Campaign Creation

The Question Bank option includes an out-of-the-box list of questions that users can pick and choose to create their own questionnaires. Users can browse thru all the SIG sections, select the relevant questions and add them to their custom template.

 

The Question Bank displays the SIG sections and the corresponding questions that can be picked either at a parent level or at a child level. Each chosen question is then added to the template that the user creates.

Library to Select Questions Across Multiple Templates

The enhanced Library option allows users to browse thru all the available templates and select the most relevant questions for their custom template. The library of out-of-the-box questions contains questions that are categorized based on the widely used compliance standards such as GDPR, PCI-DSS, HIPAA and so on.

 

Users can select a compliance category and then choose questions from multiple templates within the selected category and add them to the custom template.

 

Once the custom template is created with the chosen questions, users can use the template to carry out their campaigns and evaluate the compliance posture of their organization or their vendors.

QSC18 Virtual Edition: Securing Containers – From Build to Deployments

DevOps teams have embraced Docker container technology because it boosts speed, agility, and flexibility in app development and delivery. But it also creates security and compliance challenges.

“Containers are revolutionizing the IT landscape,” Hari Srinivasan, a Qualys Director of Product Management, said during QSC18 Virtual Edition. As the next big thing in IT, containers are seeing tremendous growth in adoption.

“Containers are lightweight, efficient, portable, and they boot faster, making it highly efficient and easy for developers to deploy their applications,” he said during his presentation “Securing Containers — From Build to Deployments.”

Containers are lighter than virtual machines because they can be spun up without provisioning a guest operating system for each one. For that reason, they also churn much more frequently.

With containers, applications can be smaller, focused on one or a few capabilities, and more portable, because they can be easily distributed across an IT environment, he said. That’s why containers have helped popularize microservices, a new architecture where applications are structured as independent, small, modular services.

Continue reading …

July Patch Tuesday – Critical browser patches, Lazy FP, Exchange, Adobe vulns

This month’s Patch Tuesday is medium in weight, with 54 CVEs containing 17 Criticals. All but two of the Critical vulnerabilities are in Microsoft’s browsers or browser-related technologies. An additional speculative execution vulnerability announced in June was patched as well. Adobe has also released patches covering multiple product each with multiple CVEs.

Continue reading …

QSC18 Virtual Edition: Vulnerability Risk Management

When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry. 

“The vast majority of WannaCry remediation took place as an emergency type process,” Jimmy Graham, a Qualys Director of Product Management, said during QSC18 Virtual Edition.

It’s key to have an integrated breach prevention program with asset inventory, vulnerability management, threat prioritization and patch management, he said

Graham also outlined how Qualys can help customers comprehensively and proactively manage their vulnerability risk.

Read on to learn more.

Continue reading …

GDPR Is Here: How GDPR Readiness Can Boost Your Business

Most discussions about the EU’s General Data Protection Regulation (GDPR) have naturally focused on best practices for achieving compliance and avoiding penalties.  

With GDPR now a reality for all companies that store and process personal data of EU residents, an often overlooked aspect has been the overall business advantage of GDPR preparedness.

In this GDPR blog series’ last installment, Hariom Singh, Director of Policy Compliance at Qualys, delves into this topic.  Later, we round up major areas covered in previous posts, and summarize how Qualys can help with GDPR compliance.

Continue reading …

GDPR Is Here: Don’t Neglect Public Cloud Security

With organizations aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, protecting these environments is critical for complying with the EU’s General Data Protection Regulation (GDPR).

GDPR, which went into effect in May, imposes strict requirements on millions of businesses worldwide that control and process the personal data of EU residents.

Public cloud platforms are being used to power digital transformation initiatives across many business functions where EU residents’ personal data is likely to be stored, processed and shared.

Thus, organizations need complete visibility into their public clouds, and they must have a solid security and compliance posture in these environments that includes vulnerability management, asset inventory, web app scanning, DevSecOps pipeline protection, and IT configuration controls.

Continue reading …

QSC18 Virtual Edition: Global IT Asset Discovery, Inventory, and Management

Maintaining an IT asset inventory is essential for a strong security posture, but digital transformation has further complicated this already challenging task.

“The volume and variety of assets, including cloud, virtualization, mobility and IoT, is disrupting IT, and security takes center stage,” Pablo Quiroga, a Qualys Director of Product Management, said during QSC18 Virtual Edition.

Consequently, many security teams can’t definitively answer questions like: What are your IT assets? Where are they located? Who are their owners and users? How are assets related?

Having asset-inventory blind spots heightens security risks, which is why most regulations and standards highlight this practice. For instance, the Center for Internet Security’s Top 20 controls begin with inventory and control of hardware and software, because attackers constantly look to exploit vulnerable assets.

In his presentation, titled “Global IT Asset Discovery, Inventory, and Management,” Quiroga explained the importance of a complete and accurate inventory, and how Qualys can help. Read on to learn more.

Continue reading …

Qualys Cloud Platform (VM, SCA, PC) 8.14 New Features

This new release of the Qualys Cloud Platform (VM, SCA, PC), version 8.14, includes several new feature improvements across the apps such as Wallix AdminBastion support, EC2 scan improvements, VM reporting improvements, ESX/ESXi PC support for vCenter, PC STIG Report, and expanded technology support for Qualys Policy Compliance.

Continue reading …

QSC18 Virtual Edition: Securing Hybrid IT Environments from Endpoints to Clouds

As organizations embrace digital transformation to boost business processes, traditional IT environments get altered, becoming distributed, elastic and hybrid.  “That’s creating a new challenge for security,” Chris Carlson, Qualys’ Product Management VP, said during QSC18 Virtual Edition.

As elements like cloud services, mobility, IoT, and DevOps are incorporated into IT environments, security teams often struggle with asset visibility, credential issues, authentication failures, remote-user scanning, and scheduled scan ineffectiveness.

But these challenges also offer “an opportunity to redefine how security programs and controls are done,” he said during his presentation titled “Securing Hybrid IT Environments from Endpoints to Clouds.” 

Carlson went on to explain how organizations can secure digital transformation efforts with Qualys’ platform, and emphasized the benefits of Cloud Agent sensors. Read on to learn more.

Continue reading …

GDPR Is Here: Web App Security Is a Must

With web and mobile apps becoming a preferred vector for data breaches, organizations must include application security in their plans for complying with the EU’s General Data Protection Regulation (GDPR.)

GDPR went into effect in May, imposing strict requirements on millions of businesses worldwide that control and process the personal data of EU residents.

While GDPR makes only a few, vague references to technology, it’s clear that, for compliance, infosec teams must demonstrate that their organizations are doing their best to prevent accidental or malicious misuse of EU residents’ personal data.

Thus, organizations must have a rock-solid security foundation for superior data breach prevention and detection, and web application security has to be a core component of it.

Continue reading …