All Posts

24 posts

Enhanced API Scanning with Postman Support in Qualys WAS

Due to the fast-growing usage of REST APIs, having a way to test them for vulnerabilities in an automated, reliable way is more important than ever.  Automated testing of APIs is a little trickier than for web applications.  You can’t simply enter a starting URL for the scanner and click “Go”.  Additional setup is required to describe the API endpoints for the scanner.  The good news is that Qualys Web Application Scanning (WAS) offers multiple ways to set up a scan for your APIs.

Up to now Qualys WAS has provided two methods to set up scanning of your APIs:

  1. Proxy capture method
  2. Swagger/OpenAPI file method

Now, WAS supports a 3rd method – Postman Collections. As we’ll explain, this method can provide better vulnerability testing compared to the others.

Continue reading …

Empower your Cloud Ops Teams – Publish Qualys CloudView Security Assessment Reports to their Slack Channel

In today’s constantly changing and evolving cloud environments, being able to quickly provide information on misconfigurations and security policy violations in your cloud accounts and assets has become a critical need to the success of your security operations. Many cloud platforms offer tools within their specific cloud environments to provide this type of visibility. However, security operations teams are quickly learning that in a multi-cloud environment, they need tools that provides this information across all three major cloud providers in a seamless and centralized way, with normalized data streams. They need a single source of truth for their account security regardless of the public cloud provider or the asset metadata.

Continue reading …

Qualys Cloud Platform 2.40 New Features

This release of the Qualys Cloud Platform version 2.40 includes updates and new features for Web Application Scanning, highlights as follows.

Continue reading …

Qualys Cloud Platform 2.39 New Features

This release of the Qualys Cloud Platform version 2.39 includes updates and new features for Out-of-Band Configuration Assessment (OCA), Vulnerability Management, and Web Application Scanning, highlights as follows.

Continue reading …

Countdown to Black Hat: Top 10 Sessions to Attend — #2

Black Hat USA 2019 is still two months away, but it’s never too early for attendees to start planning their schedule. That’s why each week we’re recommending one session from the scores of research briefings and training courses that will be offered at the conference. Following our first pick last week, here’s our second recommendation: Attacking and Securing APIs.

This hands-on, two-day course will teach participants how to build secure web and cloud APIs, which is increasingly important as their usage skyrockets. The instructor is Mohammed Aldoub, a security consultant and trainer with 10 years of experience who worked on Kuwait’s national cyber security infrastructure and focuses on APIs, secure DevOps, cloud security and cryptography.

The course is designed for software developers, security engineers, bug bounty hunters and others. Key takeaways include creating secure web APIs and microservices infrastructure; assessing the security of API implementation and configuration; and using cloud-native tools and infrastructure to deliver secure APIs.

Continue reading …

QSC18: API Security, Enabling Innovation Without Enabling Attacks and Data Breaches

Without APIs, it would be near impossible to see enterprises being able to digitally transform themselves. After all, APIs are the connective-tissue between applications and systems and they make the management, automation and consumption of technology possible at scale. APIs are what enable organizations to liberate data from their applications, improve integration, and standardize how claims and information is governed.

However, what about the associated API security risks? That’s the subject Gartner analyst Mark O’Neill tackled in his presentation, API Security: Enabling Innovation Without Enabling Attacks and Data Breaches at Qualys Security Conference 2018. O’Neill sees API vulnerabilities as a serious enterprise risk in the years ahead. In fact, by 2020, he predicts API abuses will be the most frequent attack vector that results in data breaches for enterprise web applications. “We see more and more APIs as a threat vector,” O’Neill said.

Attackers go after APIs, O’Neill said, because they’re a direct way to valuable data and enterprise resources. In addition to stealing data, APIs are also susceptible to other forms of attack, such a denial-of-service attacks, O’Neill said.

So what can organizations do to better secure their APIs and the resources and information they expose?

Continue reading …

Qualys Cloud Platform 2.33 New Features

This release of the Qualys Cloud Platform version 2.33 includes the release for CertView, plus updates and new features for AssetView, Cloud Agent, EC2 Connector, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows.  (This posting has been edited to include an update to WAS that is available in a patch release.)

Continue reading …

Qualys Cloud Platform 2.32 New Features

This release of the Qualys Cloud Platform version 2.32 includes updates and new features for AssetView, EC2 Connector, File Integrity Monitoring, Indication of Compromise, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows.  (Post updated 3/23 to include new FIM features for this release.)

Continue reading …

Qualys Cloud Platform 2.31 New Features

This release of the Qualys Cloud Platform version 2.31 includes updates and new features for AssetView, Cloud Agent, EC2 Connector, Web Application Scanning, Web Application Firewall, and Security Assessment Questionnaire, highlights as follows.

Continue reading …

Qualys Cloud Platform 2.30 New Features

This release of the Qualys Cloud Platform version 2.30 includes updates and new features for Cloud Agent, EC2 Connector, Web Application Scanning, Web Application Firewall, and Security Assessment Questionnaire, highlights as follows.  (This posting has been updated on 9/6/2017 and 10/25/2017 to reflect new feature capabilities in the release, as noted below.)

Continue reading …