All Posts

495 posts

Introducing QualysGuard Policy Compliance


QualysGuard Policy Compliance extends QualysGuard global scanning capabilities to collect OS Configuration and Application Access controls from hosts and other assets within the enterprise and maps this information into polices to fix and document compliance with regulations and mandates.

QualysGuard Policy Compliance Benefits:

  • Combined agent-less solution for vulnerability and configuration scanning
  • Rapid global deployment with the QualysGuard Software-as-a-Service (SaaS) delivery model requiring no software to install or maintain
  • Centralized approach to policy definition and management
  • Customizable auditing capabilities for multiple regulatory initiatives and mandates including SOX, HIPAA, GLBA, Basel II and others
  • Comprehensive instructions and audit trails to review and prove compliance with auditors

For more details, please visit:

QualysGuard 6.0: Reporting Metrics for Enterprise Stakeholders


QualysGuard 6.0 enables security managers and key organization executives, including business line managers, members of the board and auditors, to get an on demand view of IT security and compliance within the enterprise. QualysGuard 6.0 offers new metrics reporting supported by scorecards and secure, collaborative report distribution workflows which help operations and IT staff to be efficient and communicate effectively with auditors and executive management.

QualysGuard PCI: Determine Your Compliance Gaps and Take Action to Ensure Full Compliance


The new Self-Assessment Questionnaire (SAQ) Version 1.1, issued by the Payment Card Industry (PCI) Security Standards Council (PCI SSC) is now available within QualysGuard PCI.  Implementation of the new SAQ allows customers to complete all versions of the questionnaire online and e-file it securely with their acquiring banks.  The SAQ is available at and consists of four unique forms to meet various business scenarios.

For use primarily by Level 2, 3 and 4 merchants (and some smaller service providers), as defined by the major credit-card brands — Visa Inc., MasterCard Worldwide, Discover Financial Services, American Express and JCB International — to validate compliance with the PCI Data Security Standards (PCI DSS). The PCI SSC updated SAQ version 1.0 to better align with PCI DSS version 1.1 and created four variants to ensure merchants only answer questions relevant to their environment. Each of the four variants, labeled A, B, C and D have qualifying questions used to determine which of the four questionnaires a merchant is required to complete.

QualysGuard fully supports all four types of questionnaires, labeled A-D, including the ability to enter online comments for compensating controls, provide remediation action plan for non-compliant sections, complete attestation of the assessment and electronically sign the SAQ online. More details on the QualysGuard PCI implementation or SAQ 1.1 are available at: within the PCI Questionnaires chapter.

Dummies Guide to Vulnerability Management — Now Available

VM-for-Dummies.gifJust released – "Dummies Guide to Vulnerability Management" in conjunction with publisher John Wiley & Sons. This VM handbook is an easy-to-read and informative guide designed to educate and explain the essentials of vulnerability management, educating readers on selecting the right tools to manage vulnerabilities automatically ensuring that their networks are safe from attacks. In five succinct parts, the book leads readers through a basic understanding of vulnerability management and provides a guide to essential best practices, the various options available, the pros and cons of automated vulnerability management as well as a valuable 10-point checklist for removing existing vulnerabilities in the network. 

To download a free copy, visit

Cisco’s Doug Dexter, Michael Mucha of Stanford Hospital and Gartner analyst Mike Nicolett focus on Security Risk and Compliance Best Practices


Cisco’s Doug Dexter, Michael Mucha of Stanford Hospital and Gartner analyst Mike Nicolett in an informative program focused on Security Risk and Compliance Best Practices addressing the vulnerability management lifecycle and technology, security configuration assessments.

See and hear Doug and Michael’s approach with insight from Mike Nicolett of Gartner for implementing vulnerability management and the results it has produced for their security organizations. 

To view video, go to:

Stanford Hospital CISO Michael Mucha in Information Security Magazine — 7 Security Questions to Ask Your SaaS Provider

“The biggest thing we focus on with all of this is control of the data,” says Michael Mucha, chief information security officer for Stanford Hospital in Palo Alto, Calif., which uses several clinical applications that are delivered as a service, including transcription, and radiology and analysis systems. Given that health care is by far the most regulated industry he has worked in, Mucha has created a standardized checklist for his technical assessment of any application delivered via the SaaS model. Among the most critical of those items include whether or not the service provider complies with SAS 112 audit requirements (which applies to nonprofits), how it documents its procedures for handling a security breach, and how it handles requests for changes and customized features, Mucha says.

Even more important will be the simple policies that a SaaS provider uses among its staff to protect your data. “We have complete access to the data, and we are the only ones with control of the authentication,” Mucha says. “The point is that you need a consistent approach to all these situations.”

Humane Society CIO, Beverly Magda in InformationWeek — SaaS to the Rescue

Magda.gif"SaaS opened our eyes to a new way of doing things. With QualysGuard, we didn’t need to install any software or infrastructure. QualysGuard runs on Qualys' own secure global infrastructure, so we run security audits on-demand over the Internet with a standard Web browser. The application automatically finds all vulnerabilities on our local and remote network, provides directions to our IT staff for remediation, and submits PCI audit reports to our acquiring banks."

Paul Simmonds: The Case for Managed Security Services


The case for managed security services is being made every day. Given the uncertain state of the economy, many companies are looking to security as a service to drive down costs and boost return on investment of security IT. In addition, according to Paul Simmonds, most IT managers don’t have the time or the staff, and users don’t exercise enough responsibility, to make managing security in-house an efficient and safe option. Managed security services may also help prevent spammers or Internet criminal organizations from compromising a company’s desktops and servers.

Click here to listen to podcast.

Interview: Philippe Courtot, CEO of Qualys

Secure_IT_Live.gifEric Green and Philippe Courtot discuss Software-as-a-Services (SaaS) and the future of the software industry in general.

Click here to listen to interview.

Highlights from the 6th Annual Qualys SaaS Security Conference


At this years 6th Annual Qualys SaaS Security Conference, top security professionals from around the world joined together May 15 & 16, 2008 at the Palace Hotel in San Francisco, California for an information packed 2-day event.   

CSOs, network and security professionals were introduced to executives from Gartner, Cisco, CNET, Med Immune and Sodexo who provided insight into their use of Qualys' solutions and shared best practices for deploying vulnerability management offerings, integrating with managed services platforms and ensuring regulatory and operational compliance.

Qualys CEO Philippe Courtot connected with Qualys customers to listen to their views while taking feedback on the critical issues impacting their security organizations today. He stated: "QSC was created specifically to engage directly with our customers.  It allows us an opportunity to hear customer insight that could shape our future roadmap as we build the next generation of security Software-as-a-Service (SaaS) solutions."