DevOps teams have embraced Docker container technology because it boosts speed, agility, and flexibility in app development and delivery. But it also creates security and compliance challenges.

“Containers are revolutionizing the IT landscape,” Hari Srinivasan, a Qualys Director of Product Management, said during QSC18 Virtual Edition. As the next big thing in IT, containers are seeing tremendous growth in adoption.

“Containers are lightweight, efficient, portable, and they boot faster, making it highly efficient and easy for developers to deploy their applications,” he said during his presentation “Securing Containers — From Build to Deployments.”

Containers are lighter than virtual machines because they can be spun up without provisioning a guest operating system for each one. For that reason, they also churn much more frequently.

With containers, applications can be smaller, focused on one or a few capabilities, and more portable, because they can be easily distributed across an IT environment, he said. That’s why containers have helped popularize microservices, a new architecture where applications are structured as independent, small, modular services.

Continue reading …

This month’s Patch Tuesday is medium in weight, with 54 CVEs containing 17 Criticals. All but two of the Critical vulnerabilities are in Microsoft’s browsers or browser-related technologies. An additional speculative execution vulnerability announced in June was patched as well. Adobe has also released patches covering multiple product each with multiple CVEs.

Continue reading …

When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry. 

“The vast majority of WannaCry remediation took place as an emergency type process,” Jimmy Graham, a Qualys Director of Product Management, said during QSC18 Virtual Edition.

It’s key to have an integrated breach prevention program with asset inventory, vulnerability management, threat prioritization and patch management, he said. 

Graham also outlined how Qualys can help customers comprehensively and proactively manage their vulnerability risk.

Read on to learn more.

Continue reading …

Most discussions about the EU’s General Data Protection Regulation (GDPR) have naturally focused on best practices for achieving compliance and avoiding penalties.  

With GDPR now a reality for all companies that store and process personal data of EU residents, an often overlooked aspect has been the overall business advantage of GDPR preparedness.

In this GDPR blog series’ last installment, Hariom Singh, Director of Policy Compliance at Qualys, delves into this topic.  Later, we round up major areas covered in previous posts, and summarize how Qualys can help with GDPR compliance.

Continue reading …

With organizations aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, protecting these environments is critical for complying with the EU’s General Data Protection Regulation (GDPR).

GDPR, which went into effect in May, imposes strict requirements on millions of businesses worldwide that control and process the personal data of EU residents.

Public cloud platforms are being used to power digital transformation initiatives across many business functions where EU residents’ personal data is likely to be stored, processed and shared.

Thus, organizations need complete visibility into their public clouds, and they must have a solid security and compliance posture in these environments that includes vulnerability management, asset inventory, web app scanning, DevSecOps pipeline protection, and IT configuration controls.

Continue reading …

Maintaining an IT asset inventory is essential for a strong security posture, but digital transformation has further complicated this already challenging task.

“The volume and variety of assets, including cloud, virtualization, mobility and IoT, is disrupting IT, and security takes center stage,” Pablo Quiroga, a Qualys Director of Product Management, said during QSC18 Virtual Edition.

Consequently, many security teams can’t definitively answer questions like: What are your IT assets? Where are they located? Who are their owners and users? How are assets related?

Having asset-inventory blind spots heightens security risks, which is why most regulations and standards highlight this practice. For instance, the Center for Internet Security’s Top 20 controls begin with inventory and control of hardware and software, because attackers constantly look to exploit vulnerable assets.

In his presentation, titled “Global IT Asset Discovery, Inventory, and Management,” Quiroga explained the importance of a complete and accurate inventory, and how Qualys can help. Read on to learn more.

Continue reading …

This new release of the Qualys Cloud Platform (VM, SCA, PC), version 8.14, includes several new feature improvements across the apps such as Wallix AdminBastion support, EC2 scan improvements, VM reporting improvements, ESX/ESXi PC support for vCenter, PC STIG Report, and expanded technology support for Qualys Policy Compliance.

Continue reading …

As organizations embrace digital transformation to boost business processes, traditional IT environments get altered, becoming distributed, elastic and hybrid.  “That’s creating a new challenge for security,” Chris Carlson, Qualys’ Product Management VP, said during QSC18 Virtual Edition.

As elements like cloud services, mobility, IoT, and DevOps are incorporated into IT environments, security teams often struggle with asset visibility, credential issues, authentication failures, remote-user scanning, and scheduled scan ineffectiveness.

But these challenges also offer “an opportunity to redefine how security programs and controls are done,” he said during his presentation titled “Securing Hybrid IT Environments from Endpoints to Clouds.” 

Carlson went on to explain how organizations can secure digital transformation efforts with Qualys’ platform, and emphasized the benefits of Cloud Agent sensors. Read on to learn more.

Continue reading …

With web and mobile apps becoming a preferred vector for data breaches, organizations must include application security in their plans for complying with the EU’s General Data Protection Regulation (GDPR.)

GDPR went into effect in May, imposing strict requirements on millions of businesses worldwide that control and process the personal data of EU residents.

While GDPR makes only a few, vague references to technology, it’s clear that, for compliance, infosec teams must demonstrate that their organizations are doing their best to prevent accidental or malicious misuse of EU residents’ personal data.

Thus, organizations must have a rock-solid security foundation for superior data breach prevention and detection, and web application security has to be a core component of it.

Continue reading …

Two new built-in widgets for detecting the GravityRAT and GhostSecret advanced threats are now available in Qualys Indication of Compromise (IOC). These threats are of specific concern as they target industries like finance, entertainment, telecommunication and healthcare and have capability to exfiltrate data as well as cause extensive damage to the affected systems. Importing these widgets into your dashboard gives 2-second visibility across your enterprise to identify assets affected by these threats.

Continue reading …