The FedRAMP authorization obtained by the Qualys Cloud Platform was one of Qualys’ significant achievements in 2016. Why is that, you may be asking? Here we explain five reasons why the FedRAMP (Federal Risk and Authorization Management Program) approval is important for Qualys customers and partners. (And we explain what FedRAMP is!)
A new year has started, giving InfoSec professionals the perfect opportunity to evaluate what’s working and what’s not in their organizations, and, filled with that early-January optimism, set out to do better.
In that spirit of improvement and renewal, Qualys is kicking off today a blog series that outlines helpful tips — not just flimsy resolutions — for ensuring data security and compliance throughout the year.
In this initial post, we’ll discuss the first three of the Qualys Top 10 Tips for a Secure & Compliant 2017, addressing the importance of IT asset visibility, proper management of vulnerabilities, and continuous monitoring.
When Office Depot went looking for a new vulnerability management system, it picked Qualys’ for several reasons, including the variety and capabilities of its application programming interfaces (APIs). This was the topic of a recent talk by Office Depot Director of Global Information Security Jon Scheidell.
Since deploying Qualys Vulnerability Management (VM) about three years ago, the office supply chain has made ample and effective use of Qualys APIs in ways that have helped improve its overall security posture and its business operations.
“They’re one of the security vendors that does a better job of not only creating APIs for different features but also documenting them very, very well,” Scheidell said during a recent presentation at the Black Hat USA 2016 conference.
Qualys has always prioritized the extensibility of its platform via APIs, starting in the early 2000s with the release of its first product, and it has intensified its API efforts in the last four or five years.
Today, almost all of the major functions of the Qualys Cloud Platform are accessible to third party developers via APIs. In addition to Vulnerability Management, Qualys offers complete API sets for Web Application Scanning, Web Application Firewall, Policy Compliance, Continuous Monitoring, Malware Detection and the platform’s underlying asset management and tagging functionality.
Even though SSL/TLS is criti
cal for the privacy, integrity, and security of internet communications, the protocol is implemented in an optimal way in only a small percentage of web servers, meaning that most websites and web apps aren’t as secure as they could be.
It doesn’t have to be that way, which is why Ivan Ristić, a security researcher, engineer, and author known for his expertise on various aspects of InfoSec, has spent years contributing to the field of SSL/TLS.
He launched SSLLabs.com in 2009 to provide SSL/TLS tools, research and documentation, brought it with him when he joined Qualys in 2010, and ran it until mid-2016, when he became an advisor. Under his leadership, SSLLabs.com became a de-facto standard for secure server assessment and the go-to site for organizations looking for help improving their SSL/TLS configurations.
Ristić also wrote an entire book about the topic titled “Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications.” We recently had a chance to catch up with Ivan and pick his brain about SSL/TLS challenges, best practices and trends. Here’s what he told us.
Organizations worldwide have expanded and sharpened their continuous monitoring (CM) programs over the past year, but their adoption of this key set of security practices remains far from perfect.
That’s the main finding from the SANS Institute’s second annual survey on CM programs titled “Reducing Attack Surface” and published Nov. 2016.
Despite tangible improvements, CM “still has a way to go to attain the maturity needed to become a critical part of an organization’s business strategy,” reads the study, which polled almost 300 Infosec and IT pros actively involved in vulnerability assessment and remediation.
To stay secure, organizations must gain control and visibility over their app landscape
For many years, Jason Kent used a good old-fashioned remote control clicker to open and close his garage door, but the mechanism recently got “appified” so he became curious about its security.
His interest isn’t surprising. After all, Kent is Qualys’ Vice President of Web Application Security, so this topic is near and dear to his heart, and it’s fair to say he knows a thing or two about these matters.
To appease his curiosity, he donned a black hoodie because, as he explained at RSA Conference 2016 Abu Dhabi in mid-November, “you have to look the part when you’re hacking IoT,” and he sat in his driveway to try to break into the app.
“I looked at the communication from my mobile app to my garage door through the cloud. I broke into the communication. I crafted a packet in my laptop. And the door opened,” he said during his presentation titled “Security in the App Era: Building Strength for an Interconnected World.”
There’s one thing that businesses, their customers and cyber criminals have in common: They all love web applications. The reasons for their affection, of course, vary.
Web apps add agility to organizations’ operations such as sales, marketing and customer support, and make business transactions more convenient for customers. Meanwhile, hackers salivate at web apps’ often porous attack surfaces and at their links to backend databases full of confidential information.
With web apps now a key tool for millions of businesses, as well as a major target for criminals, a troubling trend is emerging: The number of successful attacks against them is rising, along with the costs to recover from the resulting data breaches.
As web services power digital transformations in B2B and B2C e-commerce, mobility, IoT and cloud computing, organizations must prioritize web app protection, which infosec teams have historically overlooked.
BAI Security, a nationally-recognized security consultancy specializing in highly regulated industries, sees a big opportunity to further differentiate itself: threat prioritization.
Helping its customers pinpoint which vulnerabilities they must remediate right away is a natural expansion of the security auditing and compliance services it provides, such as breach risk, compromise and comprehensive IT security assessments.
“A lot of our competitors are just providing the vulnerability details without a lot of prioritization based on real world exploit activity,” says Michael Bruck, President and CTO of BAI Security.
At best, many security consultancies offer rudimentary prioritization analysis that, while better than nothing, still leaves customers with a lot of manual risk analysis on their hands. “So many organizations have dozens if not hundreds or thousands of ‘level 4’ and ‘level 5’ vulnerabilities,” Bruck says. “For IT departments with limited resources, tackling that is a huge challenge.”
Ed Amoroso, who spent 31 years working in IT security at AT&T, the last 12 as the company’s CSO, recently let us pick his brain on infosec topics such as vulnerability management, patch prioritization and emerging technology. Below is our Q&A with Amoroso, who is now CEO of TAG Cyber, a cyber security advisory and consulting firm which he founded this year and which recently published its first annual industry report. This report found Vulnerability Management to be one of the top security controls for enterprise CSOs.
Does it surprise you when a vulnerability that was patched years ago continues to be exploited successfully even in companies and government agencies with a lot of IT resources? Do you think this is caused by issues in any one part of the VM process (discovery, prioritization or remediation)?
Qualys Security Conference 2016 ended with a bang thanks to Fred Kaplan, a Pulitzer Prize winner whose keynote “Cyber Conflict: Prevention, Stability and Control” gave hundreds of attendees plenty of food for thought as they got ready to head back home.
Kaplan offered an unsettling overview of crucial security compromises made by architects, custodians and operators of the Internet from its genesis as Arpanet in the late 1960s to today.