Qualys Community

1097 posts

A CSO’s View of Vulnerability Management: “Essential and Core” to Enterprise Security

Ed Amoroso, who spent 31 years working in IT security at AT&T, the last 12 as the company’s CSO, recently let us pick his brain on infosec topics such as vulnerability management, patch prioritization and emerging technology. Below is our Q&A with Amoroso, who is now CEO of TAG Cyber, a cyber security advisory and consulting firm which he founded this year and which recently published its first annual industry report. This report found Vulnerability Management to be one of the top security controls for enterprise CSOs.

Does it surprise you when a vulnerability that was patched years ago continues to be exploited successfully even in companies and government agencies with a lot of IT resources? Do you think this is caused by issues in any one part of the VM process (discovery, prioritization or remediation)?

Continue reading …

Emergency Flash Player 0-day update released by Adobe

Adobe released APSB16-36 today to fix one 0-day vulnerability in Flash.  The vulnerability is currently being used in active attacks and therefore Adobe released this emergency fix. If left un-patched, attackers can remotely take complete control of the machine. The vulnerability (CVE-2016-7855) is triggered when the victim views malicious Adobe flash content. Usually innocent users end up with malicious flash content by clicking on bad links from e-mails, blogs, bulletin boards and other sources.

Continue reading …

Video: Pulitzer Prize Winner Kaplan Talks about Cyber War in our Unsafe Internet

Qualys Security Conference 2016 ended with a bang thanks to Fred Kaplan, a Pulitzer Prize winner whose keynote “Cyber Conflict: Prevention, Stability and Control” gave hundreds of attendees plenty of food for thought as they got ready to head back home.

Kaplan offered an unsettling overview of crucial security compromises made by architects, custodians and operators of the Internet from its genesis as Arpanet in the late 1960s to today.

Continue reading …

Agility and Flexibility Needed To Manage Risk Throughout Vendor Relationship Lifecycle

We conclude our series on assessing third-party risk, where we’ve described scenarios in which an automated, cloud-based system can help you identify security and compliance gaps among vendors, partners and employees.

As we have outlined in this blog series, CISOs and their infosec teams need clarity and visibility not only into their IT environments, but also across their roster of trusted vendors. Organizations that don’t properly assess and manage the risk of doing business with their vendors, partners, suppliers, contractors and other third parties make their IT network and data vulnerable to hackers.

Continue reading …

Oracle October 2016 Critical Patch Update

Oracle released another massive patch update today which fixed 253 security flaws across hundreds of Oracle products.  This year we have seen the updates getting bigger as compared to an average of 161 vulnerabilities 2015 and 128 vulnerabilities in 2014. Many components fixed in today’s release are remotely exploitable. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories. Other than the exception of Java there are no consumer products and administrators should focus on their individual patching domains.

Continue reading …

My Life as a Chief Security Officer

Gerhard Eschelbeck, Google’s VP of security and privacy engineering, worked at Qualys in the early- to mid-2000s and remembers it as a then-fledgling company brimming with passion and energy about its mission to change vulnerability management.

“It’s amazing to see the growth of the company, and the success and the trust you all have given to a technology that started about 15 years ago,” Eschelbeck said Wednesday at his keynote titled “My Life as a Chief Security Officer” during the Qualys Security Conference in Las Vegas.

Continue reading …

Security Is Tough, but Infosec Pros Can Find Joy in the Work

Anger. Frustration. Despondency. Hopelessness. Capitulation.

These are typical feelings experienced by infosec pros, as they deal with careless end users, impatient executives, emerging technology, budget constraints and understaffing.

“It’s tough out there,” said Mike Rothman, president of Securosis, an information security and analysis firm.

Continue reading …

Infosec Teams Need More Collaboration and Automation to Defend Their Organizations and Help Them Succeed

Infosec teams are under a figurative DDoS (distributed denial of service) attack caused by a variety of business and operational factors that overwhelm them and keep them from crafting strategies to address long-term challenges.

Instead, infosec pros spend most of their time at work doing “day-to-day” tasks due to issues like understaffing and an overload of security alerts, according to Joseph Blankenship, a Senior Analyst at Forrester Research.

Continue reading …

The Big Year: 2016 Product Advances Highlighted at QSC

Several product management leaders took the stage at Qualys Security Conference 2016 in Las Vegas on Wednesday to outline major recent improvements to Qualys products, including Cloud Agent, AssetView, ThreatPROTECT, Vulnerability Management, Policy Compliance and Web Application Scanning.

Continue reading …

As Traditional Network Perimeters Dissolve, Qualys Cloud Platform Provides Global Security and Compliance Visibility

Every day, a large bank scans 1.4 million devices, a home improvement chain scans 2,200 stores and a major cloud infrastructure provider scans 2 million devices.

What do these three big companies have in common? They all rely on the Qualys Cloud Platform for these critical security scans, Qualys Chief Product Officer Sumedh Thakar said at the company’s annual conference.

Continue reading …