Qualys Blog

www.qualys.com
16 posts

Qualys Cloud Platform 2.30 New Features

This release of the Qualys Cloud Platform version 2.30 includes updates and new features for Cloud Agent, EC2 Connector, Web Application Scanning, Web Application Firewall, and Security Assessment Questionnaire, highlights as follows.  (This posting has been updated on 9/6/2017 and 10/25/2017 to reflect new feature capabilities in the release, as noted below.)

Continue reading …

Qualys Cloud Platform 2.28 New Features

This release of the Qualys Cloud Platform version 2.28 includes updates and new features for Cloud Agent, AssetView, ThreatPROTECT, Security Assessment Questionnaire and Web Application Scanning, highlights as follows:

Continue reading …

Qualys Cloud Platform 2.27 New Features

This release of the Qualys Cloud Platform version 2.27 includes updates and new features for Cloud Agent and AssetView as follows:

Continue reading …

REST API Testing with Qualys Web Application Scanning

With more web applications exposing RESTful (or REST) APIs for ease of use, flexibility and scalability, it has become more important for web application security teams to test and secure those APIs. But APIs (including REST APIs) introduce some behaviors that make it difficult for web application scanners to test them for vulnerabilities.

New features in Qualys Web Application Scanning (WAS) overcome these difficulties.

Continue reading …

Office Depot Extends the Value of Cloud-based Security via Qualys APIs

When Office Depot went looking for a new vulnerability management system, it picked Qualys’ for several reasons, including the variety and capabilities of its application programming interfaces (APIs). This was the topic of a recent talk by Office Depot Director of Global Information Security Jon Scheidell.

Since deploying Qualys Vulnerability Management (VM) about three years ago, the office supply chain has made ample and effective use of Qualys APIs in ways that have helped improve its overall security posture and its business operations.

“They’re one of the security vendors that does a better job of not only creating APIs for different features but also documenting them very, very well,” Scheidell said during a recent presentation at the Black Hat USA 2016 conference.

Qualys has always prioritized the extensibility of its platform via APIs, starting in the early 2000s with the release of its first product, and it has intensified its API efforts in the last four or five years.

Today, almost all of the major functions of the Qualys Cloud Platform are accessible to third party developers via APIs. In addition to Vulnerability Management, Qualys offers complete API sets for Web Application Scanning, Web Application Firewall, Policy Compliance, Continuous Monitoring, Malware Detection and the platform’s underlying asset management and tagging functionality.

Continue reading …

SSL Labs APIs Now Available In Beta

In the end-of-year post last month, I mentioned that SSL Labs APIs had been made available for early access. What that meant was that we wanted some people to have a look at our APIs and play with the open source reference client, but otherwise didn’t want everyone to come at once. After a period of testing, we’re ready to move to the next phase. The APIs (as in the specification, not the implementation) are now considered stable and we’re committed to supporting them for a long period of time. We’re also happy with more people looking at the APIs and using them. The APIs are still running on our development servers and may lack the power of our production cluster, but are otherwise stable and fully production ready. In the following weeks we’ll do some more testing, with the goal of moving the APIs into production by the end of February.

Continue reading …

Interview: James Nelson, author of “QualysGuard Open Vulnerability Data Download”

JN_channel_cat_cropped

The open source tool QualysGuard Open Vulnerability Data Download offers programmatic downloading of active (non close-fixed or close-ignored) QualysGuard host (formerly known as autovuln) vulnerability data to enable vulnerability syncing across security tools. This tool was published on the Qualys Community by Qualys' James Nelson.

What’s your name and title?

James Nelson, Technical Account Manager at Qualys.

Besides living and breathing Qualys, how do you enjoy spending your free time?

I enjoy my time outside of Qualys attending events related to classic cars, camping, hunting, fishing and preparing smoked meats for my friends, family, and customers to enjoy.

Continue reading …

Interview: Jeffrey Leggett, author of “setup_scanner”

10296461_10152323314725275_3733012628954082827_o

The open source tool setup_scanner enables high-volume programmatic provisioning of QualysGuard scanners before deployment to virtualization infrastructure scanners. Setup_scanner was published on GitHub by Qualys' Jeffrey Leggett.

What’s your name and title?

Jeffrey Leggett, API and Integrations Product Manager at Qualys.

Besides living and breathing Qualys, how do you enjoy spending your free time?

I am an avid CrossFitter and mountain biker. Sleeping and eating rank up there, too.

Tell us more about what your scanner appliance app does.

I’m building an entire automated scanner deployment process for a customer to deploy thousands of scanners — one in every one of their retail stores.

Continue reading …

Sync Your VM Data Fast

Make your Qualys data your own by synchronizing it locally. Though report templates are an easy way to set up and distribute that data, they are typically not flexible enough to meet the unique requests from unique teams that crop up over time. Synchronizing your Qualys data locally and enabling all teams in your organization to query it locally, will give you the most scalable access to your data.

Continue reading …

Interview: Mark Alvarez, author of “Managing Gazillion Vulnerabilities”

mark alvarezMark Alvarez’s submit_ticket script on GitHub is an open source QualysGuard integration app that makes remediation tracking in CA Service Desk easy. Mark described it in detail in the document, CA Service integration app, also known as "Managing Gazillion Vulnerabilities".

1.  Tell us your name and recent infosec titles you’ve carried.

My name is Mark Jayson Alvarez. For the past 10 years of my career, my job title has gone through several incarnations. I used to be a “Security Engineer”, a “Systems Engineer, Security”, an “IT Security Administrator”, “IT Security Consultant”, and now my job title says that I am an “Information Security Analyst”. My favorite of all though is when I was still called a “Science Research Specialist” in my first job (a fancy term for Systems Administrator). And since you’ve asked, other titles that I’ve had but never really used except in my CVs are CISSP, CISA, CEH, CISM.

Continue reading …