Qualys Blog

www.qualys.com
1158 posts

Qualys WAF 2.0 Protects Against Critical Apache Struts Jakarta Vulnerability ( CVE-2017-5638 )

On March 8, 2017, Qualys published a detailed blog to describe a critical vulnerability in Apache Struts2 Jakarta multipart parser that exposes vulnerable applications to Remote Command Execution attacks. Exploits of this vulnerability can allow attackers to steal critical data or take control of your application servers.

Qualys Web Application Firewall (WAF) 2.0 allows you to create custom security rules to detect and block attacks that try to exploit this vulnerability.

Continue reading …

Qualys Cloud Suite 8.9.3 New Features

This new patch release of the Qualys Cloud Suite, version 8.9.3, includes updates for cloud-based scanner deployments and tagging improvements.

Continue reading …

Smart DOM XSS Detection in Qualys WAS

Recently Qualys extended the cross-site scripting (XSS) detection capabilities of Qualys Web Application Scanning (WAS) by adding a new mechanism for detecting DOM based XSS (DOM XSS) vulnerabilities. The new mechanism works in an automated manner with no special setup or knowledge requirements, enabling security teams to greatly reduce the risk from these typically hard-to-detect vulnerabilities. Because of the technique Qualys WAS uses, it also indicates the location in your code of any XSS bugs found, which is pretty convenient for your development teams.

Continue reading …

Making Asset Inventory Actionable With a Cloud-Based System

As we’ve discussed in this blog series on automated IT asset inventory, having — or regaining — unobstructed visibility of your IT environment is key for a strong security and compliance posture.

We met Max, the CISO of a large manufacturer, whose organization progressively lost this visibility, as it adopted cloud computing, mobility, virtualization, IoT and other digital transformation technologies.

AssetView_Overview_v2_crop_searchbarWith the company’s IT environment upended and its network perimeter blurred, Max and the InfoSec team recovered control with a cloud-based, automated IT asset inventory system. This successful solution featured five key elements. In the previous posts, we addressed the first three:

This means that you need a complete and continuously updated list of IT assets, as well as granular security, compliance and system details on each one.

In this final post, we’ll explain the last two requirements for an effective cloud-based IT asset inventorying system:

  • Asset criticality rankings
  • Dashboarding and reporting

Continue reading …

Qualys Cloud Platform 2.23 New Features

This release of the Qualys Cloud Platform version 2.23 includes updates and new features for AssetView, Cloud Agent, AWS Region Support, Security Assessment Questionnaire and Web Application Scanning as follows:

Continue reading …

Ticketbleed Detection Added to SSL Labs

Ticketbleed is a recently disclosed vulnerability in some F5 load balancers. This problems allows attackers to retrieve up to 31 bytes of process memory, which could potentially include sensitive data (for example private keys). It is similar in nature to Heartbleed (a vulnerability in OpenSSL from 2014), but less severe because much less data can be extracted.

Continue reading …

RSA Conference 2017 Highlights: Qualys Cloud Platform Expansions

Update March 2: Watch videos of customer best practice presentations and Qualys product demonstrations, plus see special guest Kevin Mitnick on How to Be Safe in the Age of Big Brother and Big Data. Recorded live in the Qualys booth.

At RSA Conference USA 2017 in San Francisco, Qualys unveiled major expansions of its Cloud Platform that add new value to the unprecedented 2-second visibility of IT assets that we deliver to customers, and help organizations consolidate control of their security operations into a single-pane, cloud-based dashboard.

Here are the key announcements you should know about:

Continue reading …

For Complete Visibility, Dive Deep into IT Asset Discovery

In the first installment of this blog series on automated asset inventorying, we met Max, the CISO of a large manufacturer whose InfoSec team lost full visibility of the company’s hardware and software.

Dangerous blind spots appeared progressively over time as Max’s company adopted more and more digital transformation technologies, such as cloud computing, mobility, IoT, and virtualization.

Eventually, Max and his team became alarmed at the inability of their legacy on-premises security products to account for the new cloud instances, virtualized environments, mobile endpoints and other assets outside of the traditional, tightly-controlled network perimeter.

They were concerned that this lack of visibility could lead to an increase in employee use of unapproved personal devices and unauthorized software, as well as to data breaches.

Continue reading …

Simplifying Web Application Security with Qualys Web Application Firewall 2.0

The completely redesigned Qualys Web Application Firewall (WAF) 2.0 provides greater confidence in application security through increased customization, one-click virtual patching ability, simplified controls and stronger security rules. Available now with these and other improvements, WAF 2.0 helps customers fend off hackers’ increasingly common, aggressive and destructive web app attacks.

Continue reading …

Microsoft February Patch Tuesday Cliffhanger and Adobe Fix for Flash

UPDATE: Microsoft has announced that all updates will be delivered in the March 14 patch cycle.

As covered in our January blog, today Microsoft was supposed to scrap the existing system in which users used to get a bulletin like MS17-001 in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. But as per Microsoft’s blog, February’s Patch Tuesday has been delayed as Microsoft discovered a last minute issue that could impact some customers and could not resolve it in time for the planned update. This comes on the heels of the announcement that individual patches will not be available as they will be bundled together in the monthly Security update or monthly Cumulative update. If there is a problem in the patch for one kernel vulnerability for example, then all kernel or related vulnerabilities cannot be released as they are bundled together. A zero day SMB vulnerability was expected to be patched today and as of this writing there is no official statement on the new release date.

On the Adobe front, three security updated were released and the most important one is for Flash APSB17-04 which affects Windows, Mac, Linux and ChromeOS. If left un-patched this allows attackers to take complete control of the system. An attacker would host malicious flash content and the vulnerability will trigger when victim views the content.

Continue reading …