If your business accepts credit card payments it must be compliant with Payment Card Industry (PCI) and the way you handle that data is now governed by Payment Card Industry Data Security Storage Standards (PCI DSS), not as a matter of law, but as part of your contract with the credit card companies whose cards you accept. Inc.com’s Minda Zetlin outlines the latest requirements in "What New PCI Standards Mean to You.

1. WEP is disallowed.
2. All systems "commonly affected" by malware must run anti-malware software. 
3. Application firewalls are mandatory for Web applications. 
4. Logs must be saved for a year. 
5. New-user passwords must be changed. 

Read More

Indusface Consulting, an end-to-end Information Security Services company, announces it has joined with Qualys to differentiate and expand its solutions offering with network security, operations efficiency and risk reduction for their clients while leveraging the flexibility of the Qualys Software-as-a-Service (SaaS) model.

"We have developed a strong consulting team that possess the technology know-how to deliver world class security services and solutions to our clients, said Ashish Tandon, Chief Executive Officer, Indusface Consulting. "Collaborating with Qualys further extends our ability to offer practical solutions that we can confidently apply across a broad range of industry verticals and customer sectors."

Read More

There’s been considerable discussion recently about how automatic software updates, such as those to download security patches, can be used as potential vectors of attack. This is unfortunate, as one of the primary tenets of keeping systems relatively secure is to maintain current patch levels. And when most users, including probably most businesses, need to update their systems, they tend to trust and download the updates presented to them without confirming their authenticity.

In SC Magazine’s Hot or Not: Software update vulnerabilities, Amol Sarwate of the Qualys Vulnerabilities Research Lab discusses how automatic update features in many software applications are proving to be vulnerable to attack now that hackers are taking notice. 

Read Article

Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 9 new vulnerabilities present in Microsoft Windows. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Microsoft released on December 9, 8 security patches to fix newly discovered flaws in Microsoft Windows. Microsoft has also released 1 advisory that currenlty does not have a patch. The Qualys Vulnerability R&D Lab has released the following checks for these new vulnerabilities, including:

• Microsoft Wordpad Text Converter Vulnerability
• Microsoft Visual Basic Runtime Extended Files Remote Code Execution Vulnerability
• Microsoft Windows GDI+ Remote Code Execution Vulnerability
• Microsoft Word Multiple Remote Code Execution Vulnerabilities
• Microsoft Internet Explorer Cumulative Security Update
• Microsoft Excel Multiple Remote Code Execution Vulnerabilities
• Microsoft Windows Search Remote Code Execution Vulnerability
• Microsoft Windows Media Components Remote Code Execution Vulnerability

Read Alert
Listen to Podcast

Related Coverage:
Microsoft Slates 8 Bug Updates for Year’s Final Patch Tuesday, by Gregg Keizer, Computerworld
Windows Users Indifferent to Microsoft Patch Alarm, by Gregg Keizer, Computerworld
Zero-Day Bug Discovered In IE7, by Tim Wilson, DarkReading
Hackers Having Field Day With IE Zero Day Attacks, by Erika Morphy, TechNewsWorld

As a finalist in the Readers Trust Awards, which honors best-in-class security products and services, Qualys is nominated for:

— Best Vulnerability Management Solution for QualysGuard
 
As a multiple nominee for the Excellence Award, which honors companies with superior security products, Qualys is also nominated for:  

— Best Security Company
— Best Enterprise Security Solution for QualysGuard Enterprise
— Best SME Security Solution for QualysGuard Express

Winners of this year’s SC Awards will be announced at a gala dinner and award ceremony to be held in San Francisco on April 21, 2009 in conjunction with the RSA Conference.

"Vendors have to go well beyond the requirements of SLAs if they want to keep their customers," said InternetNews' Richard Adhikari from one of the panel discussions at SIIA On Demand – the Software Information Industry Association’s conference on SaaS.

Panelist Philippe Courtot, chairman and CEO of Qualys, added – "It is critical for SaaS players to exceed SLAs because there are few obstacles to a customer abandoning one supplier in favor of another.  It’s much easier to switch from a SaaS application than a normal application because you don’t have to pull out the application and replace it and test it and secure it.  

"In the future, customers will demand more from SaaS vendors," Courtot warned. "I can see that, in the near future, they would want guarantees of quality of service, guarantees of security of data, guarantees of data privacy."

Read More

Qualys has been chosen as one of Deloitte’s 2008 Technology Fast 500, a ranking of today’s fastest growing technology, media, telecommunications and life sciences companies in North America. This industry distinction comes just several weeks after the company’s most recent achievement as a Deloitte Silicon Valley Fast 50 where Qualys ranked #37 by demonstrating a five-year growth rate of 492 percent from 2003-2007. The five-year growth rate criteria was also used in selecting the Fast 500 companies placing Qualys as # 307 on the expanded list of industry notables.

"Being recognized as one of the fastest growing companies in North America is an honor that we share with our customers who from the beginning believed in our Software-as-a-Service solution for IT security and compliance management," said Philippe Courtot, Qualys CEO.  "We thank Deloitte for the ranking that underscores our efforts to help organization worldwide get a clear view on their IT security and achieve compliance."

Read More

Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 2 new vulnerabilities present in Microsoft Windows. Customers can immediately audit their networks for these and other recent vulnerabilities by accessing their QualysGuard subscription.

Microsoft released on November 11, 2 security patches to fix newly discovered flaws in Microsoft Windows. The Qualys Vulnerability R&D Lab has released the following checks for these new vulnerabilities:

• Microsoft SMB Could Allow Remote Code Execution
• Microsoft XML Core Services Remote Code Execution Vulnerability

Read Alert
Listen to Podcast

Related Coverage:
Microsoft Patches Long-Known Windows Bugs, by Gregg Keizer, Computerworld
Microsoft Doles Out Two Patches for Four Flaws, by Dan Kaplan, SC Magazine
Teed Up for November: Office, Windows Fixes, by Andy Patrizio, InternetNews.com

InformationWeek discovers how IT can implement an effective vulnerability management program that works.  

For an effective vulnerability management that works — apply risk management principles and logic relative to the business value. IT must also engage across business units to determine a company-wide security posture that is within acceptable risk tolerance levels, create operational processes that address the computing environment as a whole, and select the right technology platforms to bolster those processes.Critical steps to break the cycle of ineffectiveness:

    Step 1: Integrate Data Collection
    Step 2: Prioritize
    Step 3: Continue to Refine

Read More

InformationWeek outlines four principles to achieve ongoing vulnerability management success:

Principle 1: Focus on Output, Not Input
Tools are only a means to an end. Data collection is a fundamental requirement for vulnerability management, but providing timely, accurate, contextual reports to appropriate individuals is critical. Many organizations develop programs that generate vast amounts of data, but struggle to make it actionable and measurable.

Principle 2: Align with Business Processes
Vulnerability management process integration with and awareness of business processes is critical to understanding enterprise risk and focusing on the areas that matter most.

Principle 3: Continue to Integrate Technologies
Incorporating change and configuration technologies will increase the reliability of data, build accurate reporting, and increase overall effectiveness in lowering enterprise risk and achieving compliance objectives.

Principle 4: Leverage Measurement and Promote Visibility
Defining key performance indicators, such as an acceptable host-to-vulnerability ratio, and using measurement tools will help focus the program on activities that will have the most impact.

Read More