Qualys Blog

13 posts

Call For Customer Presentations at RSA Conference 2016!

RSA Conference Presentation in Qualys BoothTell your security story to your peers at RSA Conference 2016 San Francisco!

Qualys is looking for customers excited to talk on security, best practices and case studies leveraging the use of Qualys technologies. Take the stage in the Qualys booth to share your experience with RSA Conference attendees two or three times total during exhibit hall hours on March 1, 2, or 3.

If you would like to be considered as a presenter, please send a title and short abstract for a 20-30 minute presentation to Victoria Venturi at vventuri@qualys.com. The call for presenters is open until January 29, 2016.

RSA Conference 2016 is held at Moscone Convention Center in San Francisco. Qualys will provide accepted presenters with a full conference pass, and pay your airfare and hotel expenses for the conference.

SSL News Roundup

Here’s a summary of this week’s SSL news, in case you missed any of it:

SSL Labs API Available

Qualys SSL Labs now includes free assessment APIs, accompanied by a free open source tool that can be used for bulk and automated testing of websites. These APIs and tool are already being used to consolidate testing of websites, detect changes in results and get notifications when certificates expire. And we continue to see public reports of poor SSL configurations, with the goal of motivating companies to improve their security. Here’s an article from eWeek.

Continue reading …

Call for Customer Presenters in Qualys Booth at RSA Conference 2015

Are you a Qualys customer with an interesting story to tell about how Qualys has helped your organization improve its security posture?

If yes, we would love to have you speak in the Qualys Booth at RSA Conference 2015 in San Francisco, April 20-24, 2015.

Continue reading …

Gartner Security & Risk Management Summit

Gartner Security & Risk Management SummitThe lineup of sessions at Gartner Security & Risk Management Summit includes three presentations from Qualys. We are excited to participate in the conference, and look forward to seeing you!

Continue reading …

Welcome to the New and Improved Qualys Community

Qualys Community just got upgraded!

You’re seeing the new, cleaner design with full-width content that makes it easier to find answers to your questions and to connect with your IT security peers.

Read on to learn how to get the most out of your Qualys Community experience:

And of course, please ask if you have questions or feedback or suggestions. The Qualys Community team wants to make Qualys Community as helpful and seamless for you as possible.

Continue reading …

Qualys at RSA Conference 2014

To help keep track of what happened at RSA Conference 2014, here’s a quick list of Qualys' activities over the week:

Conference Events

New Blog Posts from Qualys Community

SSL Labs: Testing for Apple’s TLS Authentication Bug: Updates to SSL Labs let you test for this newly-discovered (and now patched) bug.

MediaWiki DjVu and PDF File Upload Remote Code Execution Vulnerability: Deep-dive into only the third remote code execution vulnerability ever found to affect the MediaWiki platform.


QualysGuard Continuous Monitoring enables customers to continuously monitor mission-critical assets throughout their perimeter and immediately get alerted to anomalies that could expose them to cyber attacks.

QualysGuard Web Application Firewall offers rapid deployment of robust security for web applications with minimal cost of ownership, and is constantly updated with new rules to keep up with application updates and newly emerging threats.

Top 4 Security Controls helps organizations quickly determine if the PCs in their environments have properly implemented the Top 4 Critical Security Controls, which the Council on CyberSecurity estimates can help companies prevent 85% of cyber-attacks. The Top 4 Security Controls are released in collaboration with the SANS Institute and the Council on CyberSecurity.

2014 SC Magazine Awards


  • Risk I/O: For businesses that need to understand the vulnerability and threat risks of their organization’s perimeter in real-time, the new integration enables them to sync their vulnerability data with Risk I/O’s threat processing engine, allowing organizations to gain visibility into their most likely vector for a breach.
  • AlgoSec Partners: The integration provides visibility into the risk levels of data center applications, enabling IT and security teams to effectively communicate with business stakeholders so they can “own their risk” by quickly taking the actions needed to mitigate IT security issues.

Top 13 of ’13: Qualys Community

It’s time for the Top 13 of '13 — the most popular and most viewed blog posts, discussions, new product features, technical documents and videos that were contributed, read, updated, and commented on in 2013 by the Qualys Community of security professionals.

Many thanks to all the Qualys Community members and site visitors for building out the reference library and active conversations that comprise Qualys Community!

Continue reading …

Top 10 of 2012 from Qualys Community

Here are the most popular and most viewed blog posts, discussions, new product features, technical documents and videos that were contributed, read, updated, and commented on in 2012 by the Qualys Community of security professionals.

Many thanks to all the Qualys Community members and site visitors for building out the reference library and active conversations that comprise Qualys Community!

Top 10 Blog Posts

  1. Mitigating the BEAST attack on TLS
  2. Lessons Learned from Cracking 2 Million LinkedIn Passwords
  3. Are you ready for slow reading?
  4. TLS Renegotiation and Denial of Service Attacks
  5. CRIME: Information Leakage Attack against SSL/TLS
  6. How I Knocked Down 30 Servers from One Laptop
  7. Protocol-Level Evasion of Web Application Firewalls
  8. Passing the Internal Scan for PCI DSS 2.0
  9. Android Security Evaluation Framework: ASEF
  10. New Java 0-Day Disclosed

See the most current blog posts.

Top 10 Discussion Threads

  1. How to enable TLS 1.1 & 1.2 on OpenSSL & SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability
  2. PCI Failure for CVE-2011-3389 (BEAST Attack) & BEAST vulnerability detection
  3. ssllabs.com’s own Apache SSL Config Directives
  4. Web Server Vulnerable to Redirection Page Cross-Site Scripting Attacks
  5. How to create a Linux user
  6. Hidden RPC services error
  7. Anybody notice an uptick in "NetBIOS Shared Folder List Available" vulnerability?
  8. FIPS-Ready checks
  9. FTP
  10. Mitigating WAS QID 150085 Slow HTTP POST Vulnerability on Apache

See the most current discussion threads.

New Product Features in 2012

  1. QualysGuard 7.7
  2. Introducing QualysGuard Dynamic Asset Tagging and Management
  3. QualysGuard 7.6
  4. QualysGuard 7.5
  5. QualysGuard 7.4
  6. QualysGuard 7.3
  7. QualysGuard 7.2
  8. QualysGuard 7.1
  9. QualysGuard 7.0
  10. QualysGuard WAS 2.4
  11. QualysGuard WAS 2.3.2
  12. QualysGuard WAS 2.3.1
  13. QualysGuard WAS 2.3
  14. QualysGuard MDS Enterprise Edition 2.1
  15. Automatic Scanning is now part of BrowserCheck Business Edition
  16. Safe Browsing with Qualys BrowserCheck

Top 10 Technical Documents

  1. BrowserCheck FAQ
  2. QID 90780 FAQ: Microsoft ASP.NET ValidateRequest Filters Bypass Cross-Site Scripting Vulnerability
  3. Reference: QualysGuard Virtual Scanner Appliance
  4. Verify QID 38140 – SSL Server Supports Weak Encryption Vulnerability
  5. QualysGuard API Sample Code
  6. How is QID 38142 – SSL Server Allows Anonymous Authentication Vulnerability detected?
  7. How does vulnerability scanning work?
  8. How does UDP port scanning and service detection work?
  9. How does QualysGuard mapping work?
  10. UPDATE: QID 38171 “SSL Certificate – Server Public Key less than 2048 bit”
  11. Bonus document: QualysGuard Virtual Scanner Appliance: Platform Qualification Matrix

See LOTS MORE support articles and how-to’s in the Help Center.

Top 5 Videos

  1. QualysGuard Vulnerability Management Video Series
  2. QualysGuard Policy Compliance Video Series
  3. QualysGuard Web Application Scanning Video Series
  4. QualysGuard Malware Detection Service Enterprise Edition Video Series
  5. Best Practice Videos

Qualys wishes you a happy, productive, and secure 2013!

Advanced Persistent Threats Experts Video


Brian Krebs, Journalist



Wolfgang Kandek, CTO, Qualys

Rodrigo Branco, Researcher, Qualys

Rich Mogull, Analyst & CEO, SECUROSIS

Gunter Ollman, CTO, Damballa

Andy Bonillo, Principal, Investigative Response, Verizon



September 29, 2011 at Qualys Security Conference 2011 San Francisco


Topics include:

  • What is APT?
  • What makes APTs successful when they’re successful?
  • Are so-called APTs executed via vulnerabilities that should have been patched?
  • Good system administration is the baseline defense.
  • How does any organization protect itself against the most sophisticated attacks?
  • Do organizations have the ability to know how long they have been pwned?
  • TCP: total cost of pwnage.
  • Dynamics of the APT ecosystem.
  • Best practices for securing systems.
  • What happens when organizations fail to detect APTs?
  • What can we do to make things better?
  • Are you hopeful the community will share information?
  • Q&A: What should we look for in log files?
  • Q&A: What is opinion on virtual patching?
  • Q&A: What is impact of increase in mobile devices?



58 minutes, 32 seconds