All Posts

1510 posts

Nils Puhlmann of Electronic Arts Joins Qualys as CSO & VP of Risk Management

Niles_Puhlmann.gifNils is responsible for security, risk management and business continuity planning, including the security of the QualysGuard platform. Additionally, with his working industry knowledge, Nils will oversee Qualys' CSO Advisory board which main charter is to collaborate with other CSOs and industry leaders to offer real-world expertise in forging and implementing security and compliance best practices.

He stated: "Qualys has differentiated itself within the industry with its SaaS delivery platform and by keeping attention focused on the needs of the customer. I am looking forward to work with the Qualys team and with other CSOs in the industry to collaborate on real-life security and compliance issues and come up with best practices to address them."

Read More

Tata Communications Launches New Vulnerability Management Service with Qualys

Tata.gif"Our partnership with Tata Communications allows them to offer their global customer base a proven, scalable and cost effective solution to help these organizations improve their security and streamline compliance initiatives. We are pleased to partner with such a world class organization and look forward to working with them" said Philippe Courtot, Qualys CEO.

John Landau, Senior Vice President of Global Managed Services for Tata Communications spoke about the company’s latest launch saying  – "Effectively managing vulnerabilities to best-practice levels, in-house, is an expensive and difficult undertaking for businesses of any size. Mistakes can lead to crippling service downtime, potential data corruption, and the risk of being non-compliant. Tata’s vulnerability management service helps organizations wrap their arms around which critical systems need patching at a drastically reduced total cost of ownership. There is no investment in capital or special skills required. The service allows customers both large and small to offload the grinding technical and operational aspects of vulnerability management while retaining control over decision-making and the actual remediation process."

Read More

November 2008: MSFT Patch Release Trends


In the past month November, Microsoft released only 2 Security bulletins, both of critical severity. However in late October, MSFT released a fix for potentially very exploitable vulnerability (MS08-067 RPC Server) out-of-band, in itself already an indication of its high severity and its potential to develop into an aggressively replicating worm. We took a look at patching trends related to this publicized vulnerability.

Specifically, we monitored between 200,000 and 300,000 scans per day. The graph above shows the trends.

Customer Patching Trends
We have used our vulnerability statistics capabilities to track the evolution of the vulnerabilities to see how Microsoft customers apply these patches.

  • Unfortunately, no. The emergency patch (MS08-67) didn’t show erratic  reductions in occurrences of vulnerabilities and it appears customers were  patching at a normal rate.
  • However, for the last week we see a fairly rapid reduction in  vulnerability numbers indicating that after a large scale worm was announced  and confirmed (Trend Micro mentions over 500,000 machines infected, Symantec  mentions major activity in their honey nets), customers are stepping up their  patch activity.
  • Over the last month and a half we have seen the occurrence of MS08-067 drop from a high value of 8 to close to 2 this week, and overall 70%  reduction.

MS08-067, 68 and 69 Trends
PLEASE NOTE: The information below is based off normalized data, the Y-axis represents the number of vulnerabilities identified / total number of scans. The X -axis represents the dates. Normalizing the data was required in order to fairly represent the data in a graphical form. If you use the graphic, please attribute to Qualys.

MarketScope for Vulnerability Assessment


In this MarketScope report, Gartner details the challenges and tools to consider when evaluating and deploying Vulnerability Assessment technologies. MarketScope includes Gartner’s vendor rating where Qualys received the highest possible rating ('Strong Positive').

Read Report

Free Webcast: Web 2.0 Security Threats Wednesday, November 12th, 11:00am PST

This talk will examine how the adoption of Web 2.0 and consumer technologies impact application security and how you should respond to the new requirements. Topics covered:

  • Global trends and the enterprise security impact of Web 2.0 adoption, de-perimeterization, and the consumerization of corporate IT.
  • Steps information security professionals can follow to strengthen application security, especially in an open and collaborative environment.
  • An overall application security maturity model, and steps to create best-practices for application security.


Stanford Hospital’s, CISO Michael Mucha Writes Feature Essay for Information Security Magazine

info-security-10-08.gif As an honoree of Information Security’s Security 7 award, Michael Mucha addresses Security for the Masses highlighting his team’s attention to secure collaboration and proactive investments in SaaS and other outsourcing ventures enabling focus on risks specific to the Stanford Hospital environment.

Read Essay

Customers Speak Out

Hear what Qualys customers have to say about their experience with QualysGuard®.

Watch Qualys Customer Testimonials

Qualys Ranked the 36th Fastest Growing Company in Silicon Valley by The Silicon Valley/San Jose Business Journal’s 2008 ‘Fast 50’

Rima-Bruno-Fast50-Award.pngIn a private dinner ceremony held on October 7, 2008 at the San Jose Fairmont’s Club Regency, Qualys Vice President of HR, Rima Touma-Bruno was in attendance to receive the Fast 50 award.

"Being named the 36th fastest growing company in Silicon Valley is a tribute to the global adoption of our Security-as-a-Service platform and applications," said Philippe Courtot, CEO and chairman of Qualys. "We are honored that the San Jose/Silicon Valley Business Journal has recognized Qualys' growth, and in turn, highlighted the ease if use, quality, scalability and cost effectiveness that the Security-as-a-Service model uniquely provides."

Read More

QualysGuard PCI 3.0 Helps Merchants Meet New Mandatory PCI Requirement


QualysGuard PCI 3.0 now with a Web Application Scanning (WAS) module, combines the application’s traditional compliance scanning, remediation and e-filing capabilities with automated web application scanning.  This advancement helps merchants in their efforts to effectively meet requirement 6.6 for maintaining secure web applications. Specifically, the WAS module evaluates web applications before and after deployment. This ensures that the applications are built and maintained in a secure way. Delivered via Software-as-a-Service (SaaS), the WAS module fully automates the scanning of vulnerability types within customized code and allows customers to crawl web applications, identify cross-site scripting vulnerabilities, isolate SQL injection attacks and conduct authenticated and unauthenticated scanning.

Read Press Release
Read Technical Brief

PCI DSS 1.2 Spec Released


PCI DSS 1.2 represents an update to the original 12 requirements found in PCI DSS version 1.1.  The intent of the latest specification is to clarify existing requirements and provide clarification and flexibility in terms of interpretation of the standard.

  • Guidance around scope of PCI DSS and elaborate on segmentation of Cardholder data environment 
  • Clarification of wireless technology requirements and provide sunset date for use of WEP – All WEP implementations must be discontinued as of June 30, 2010 
  • Clarification around requirement 6.6 for web application security to remove references to source code review and add use of automated assessment tools 
  • Require employees that interact with cardholder data to review and accept security policy annually
  • Compensating controls should now be reviewed and validated annually by a qualified assessor 
  • Flexibility for incorporation of evolving technologies and threats 
  • Announcement of Quality Assurance program for assessors

Listen to Podcast
Read Summary

Related Coverage:
Credit-Card Security Standard Issued After Much Debate, by Ellen Messmer, Network World
Payment Card Security Toughens With DSS 1.2 Release, by Jabulani Leffall, Redmond