When Office Depot went looking for a new vulnerability management system, it picked Qualys’ for several reasons, including the variety and capabilities of its application programming interfaces (APIs). This was the topic of a recent talk by Office Depot Director of Global Information Security Jon Scheidell.
Since deploying Qualys Vulnerability Management (VM) about three years ago, the office supply chain has made ample and effective use of Qualys APIs in ways that have helped improve its overall security posture and its business operations.
“They’re one of the security vendors that does a better job of not only creating APIs for different features but also documenting them very, very well,” Scheidell said during a recent presentation at the Black Hat USA 2016 conference.
Qualys has always prioritized the extensibility of its platform via APIs, starting in the early 2000s with the release of its first product, and it has intensified its API efforts in the last four or five years.
Today, almost all of the major functions of the Qualys Cloud Platform are accessible to third party developers via APIs. In addition to Vulnerability Management, Qualys offers complete API sets for Web Application Scanning, Web Application Firewall, Policy Compliance, Continuous Monitoring, Malware Detection and the platform’s underlying asset management and tagging functionality.
Office Depot and Qualys
When Scheidell joined Office Depot, it had an existing, on premises VM product that had outlived its usefulness. “There was an opportunity to look for something new,” he said.
Office Depot evaluated all vendors in the VM space, and determined that Qualys was the best fit for the organization. In addition to liking Qualys’ APIs, Office Depot was impressed by its SaaS (software as a service) architecture. “There’s no maintenance,” Scheidell said.
Office Depot also valued other features, including: Qualys’ rare support for overlapping IP addresses; its native AWS (Amazon Web Services) integration; and its centralized multi-product cloud platform.
Once chosen, Qualys VM proved to be a breeze to roll out, even though the scope of the project was large, encompassing Office Depot operations in 56 countries. “Qualys was very, very simple to deploy,” he said.
Leveraging Qualys’ APIs
Office Depot has actively taken advantage of the Qualys platform’s extensibility, whose REST (Representational State Transfer) APIs, Scheidell describes as “extensive and well documented.”
“I get really excited about APIs. I love to automate and script things, and their APIs make it super, super simple to do,” he said.
Scheidell particularly likes Qualys’ native support for the Groovy scripting language, which Office Depot has used to build scriptlets that perform custom actions, such as dynamic asset tagging.
Overall, Office Depot has leveraged Qualys APIs via free community-built applications, in-house developed tools and commercial integrations. Here are a few examples:
In-house developed single-host scan app
Unsurprisingly, Office Depot has a very large applications support team. Scheidell wanted to extend the slice of VM functionality those staffers need. The key was to strike a happy medium between the overkill of giving them full-fledged access to Qualys, and the other extreme of keeping them out of Qualys completely.
“They didn’t need to have log-ins. They didn’t need to have all the features within Qualys,” he said. “All they really needed to do was to run a scan on a single asset they own to get results.”
Tapping Qualys APIs, Scheidell’s team built a custom web-based scan application for these users to check for vulnerabilities. “It makes this super simple,” he said.
Prior to the launch of this website, users would submit change requests to the security team asking for scans to be run. They’d have to wait for the request to be fulfilled, and a report would be emailed to them. Often, they’d need to obtain clarification on the contents of the report.
Instead, now they can go to the website, type in the asset to be scanned and about 30 minutes later they’re emailed a simplified report. “It doesn’t try to list everything that’s wrong with the device. It only lists the things that as a policy we require the user to remediate,” he said.
“All that users need to worry about is: if the report’s got something on it, fix it. If it doesn’t, attach it to your change control and you’re done,” Scheidell added. “It took cycles off of the security team.”
In-house developed tool for detecting SSL 3 and TLS 1 protocol vulnerabilities
Office Depot didn’t have a precise report that specifically broke down the key information that a systems admin needs to remediate Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.x protocol vulnerabilities.
“They didn’t want to read a 30-page report of all the vulnerabilities in a box and weed through all the informational things. They’re not going to do that,” Scheidell said. “So we created a script. It was super simple.”
The script — about 20 lines of code — makes a quick API call and downloads scan results for a particular Qualys QID that tells you all of the ciphers that are enabled on all of the ports that are detected. The results are collected in a CSV file that’s emailed weekly to users.
“It breaks out very simply the only things that people care about: IP address, what port we detected the ciphers or protocols on, the DNS name, which protocols are enabled, and the last time the server was scanned,” he said.
Sys admins can go through the report and quickly learn which servers have SSL and TLS vulnerabilities and need patching.
Community-built app use: Scantronitor
Available for free on Github, Scantronitor is a self-service tool built by volunteer developers that lists past, current and scheduled Qualys vulnerability scans on a particular system without having to log into Qualys.
Its value is that it gives any approved user more clarity about the potential performance impact of scans on their systems, without the need to obtain that information from the infosec team.
“When we first rolled out Qualys, every performance problem we had, we got a call, sometimes at 3 a.m., asking if a scan was running and thus causing the slowdown,” Scheidell said.
Office Depot rolled out Scantronitor for its service availability managers, allowing them to check scan activity on different systems themselves, a solution that has worked very well.
An interesting sidenote: Since its deployment, Qualys VM hasn’t had a negative impact on the Office Depot network’s performance, according to Scheidell.
Commercial integration app use: Qualys App for Splunk
Office Depot is a Splunk customer, so it has taken advantage of Qualys VM for Splunk Enterprise. Qualys VM for Splunk taps VM data via the Qualys API and streamlines its export to Splunk Enterprise. Within Splunk Enterprise, the apps provide dashboards containing summary charts about affected web applications and IT asset vulnerabilities, respectively, as well as search tools.
Office Depot uses the app to enrich its Splunk data to do things like find IT asset owners and assign remediation tickets, as well as to drive an executive dashboard. “It’s been very well received,” Scheidell said.
Qualys fully committed to enhancing and extending its APIs
Office Depot and all other customers and partners using Qualys APIs can rest assured that Qualys will continue to improve its APIs, and make its platform more accessible to developers.
“APIs are very important and strategic to our long-term growth strategy, so we want to add a lot of functionality to the API,” Jeffrey Leggett, Director, Cloud Services, API & Integration at Qualys, said in a recent interview with DevNetwork.com.
As promised, Qualys delivered in December a full set of management APIs for automatically deploying and orchestrating its Cloud Agents, which were launched in April of 2015.
Customers have embraced the Cloud Agents, with over 1 million deployed in their environments, and Qualys wants to make this process even simpler and easier for them via APIs.
“Longer term, our goal is to let customers and partners fully automate all aspects of Qualys, so that any function you can access within the Qualys Cloud Platform, you should be able to reproduce with the API,” Leggett said.
Right now, about 20 percent of Qualys customers use its API, a percentage Qualys wants to continue growing.
Interested in seeing more information about Qualys APIs?
- Office Depot presentation from Black Hat USA 2016
- Splunk and Qualys speak about the Qualys VM app for Splunk Enterprise
- Qualys Documentation, including user guides for all APIs