Due to the fast-growing usage of REST APIs, having a way to test them for vulnerabilities in an automated, reliable way is more important than ever.  Automated testing of APIs is a little trickier than for web applications.  You can’t simply enter a starting URL for the scanner and click “Go”.  Additional setup is required to describe the API endpoints for the scanner.  The good news is that Qualys Web Application Scanning (WAS) offers multiple ways to set up a scan for your APIs.

Up to now Qualys WAS has provided two methods to set up scanning of your APIs:

1. Proxy capture method
2. Swagger/OpenAPI file method

Now, WAS supports a 3rd method – Postman Collections. As we’ll explain, this method can provide better vulnerability testing compared to the others.

Continue reading …

This release of the Qualys Cloud Platform version 2.41 includes updates and new features for new Gov clouds in AssetView / CloudView and Web Application Scanning, highlights as follows.

Continue reading …

Microsoft released an out-of-band update yesterday that fixes two critical vulnerabilities – The Internet Explorer remote code execution vulnerability (CVE-2019-1367) and Microsoft Defender Denial of Service Vulnerability (CVE-2019-1255).

According to the Microsoft advisory CVE-2019-1367, the Internet Explorer scripting engine vulnerability has been exploited in active attacks in the wild. Users are advised to manually update their systems immediately.

UPDATE: Added methods to detect Internet Explorer installs vulnerable to CVE-2019-1367 using only Free Qualys Global IT Asset Inventory, as well as how to patch by CVE with Qualys Patch Management.

Continue reading …

In today’s constantly changing and evolving cloud environments, being able to quickly provide information on misconfigurations and security policy violations in your cloud accounts and assets has become a critical need to the success of your security operations. Many cloud platforms offer tools within their specific cloud environments to provide this type of visibility. However, security operations teams are quickly learning that in a multi-cloud environment, they need tools that provides this information across all three major cloud providers in a seamless and centralized way, with normalized data streams. They need a single source of truth for their account security regardless of the public cloud provider or the asset metadata.

Continue reading …

This new release of the Qualys Cloud Platform (VM, PC), version 8.21.2, includes Virtual Scanner Appliance support for Alibaba Cloud Compute, scheduling of EC2 scans with no scannable EC2 assets in Asset Tags in Qualys Vulnerability Management, expanded support for instance discovery and auto record creation in Qualys Policy Compliance, compliance support for Oracle 19c, and more.

Continue reading …

After the publication of Golden AMI Pipeline integration with Qualys, some Qualys customers reached out asking how to integrate Qualys Vulnerability Management scanning into other types of CI/CD Pipelines. To answer these questions, we’ve published the new guide, Assess Vulnerabilities and Misconfiguration in CI/CD Pipelines.

Continue reading …

The upcoming release of the Qualys Cloud Platform (VM, PC), version 8.21.2, includes several new features in Qualys Cloud Platform and support for multiple technologies in Qualys Policy Compliance. The 8.21.2 release is scheduled to go live on 16th Sept, 2019.

See full 8.21.2 new features blog post for additional details on this release.

Continue reading …

This release of Qualys Patch Management version 1.3 includes new features, highlights as follows.

• Patch Scheduling enhancement: “No Patch Window” – When scheduling a patch deployment, instead of having to specify a Patch Window time frame, you can select “None”.  This will allow a job to continue to run until all of the Assets in the job are able to perform the deployment, instead of timing out at the end of the Patch Window. This is especially useful in situations where you have an emergency patch that absolutely must be installed as soon as possible.  If an Asset is offline when the job is set to run, it will run the job once the  Cloud Agent checks in again.
• Suppress reboot – You can choose to suppress the reboot notification and subsequent reboot after a patch deployment.  This feature allows you to deploy patches, and then use another mechanism to restart the Assets.  Any Asset that has the reboot suppressed will still report the Reboot Required flag to the platform.
• Create Job in “Enabled” state – Previously, you would create a Deployment Job in a Disabled state, and then Enable the job from the Jobs screens.  Now, you can choose to have the Job saved in an Enabled state, reducing the amount of clicks required to start a Job.
• Opportunistic Patch Download – When creating a Job, you can now opt to have the Cloud Agent download the patches in the background before the job runs, reducing the amount of time the job takes to complete.

Continue reading …

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices. 

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

The July 2019 release includes the following new policy and updates:

• 13 updated policies
• 11 new technologies
• 6 new DISA STIG policies
• 1 new Industry and Best Practice policies
• 1 Microsoft Security Baseline policy

Continue reading …

This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 17 of them labeled as Critical. Of the 17 Critical vulns, 8 are for scripting engines and browsers, 4 are for the Remote Desktop Client, and 3 are for SharePoint. In addition, Microsoft has again patched a critical vulnerability in LNK files, along with a vuln in Azure DevOps / TFS. Adobe has also released patches for Flash and Application Manager.

Update: Following Patch Tuesday, Microsoft updated the entries for CVE-2019-1214 and CVE-2019-1215 to remove the “exploited” label.

Continue reading …