With Black Hat USA 2019 now in progress, we wrap up this blog series with our final two session recommendations: Attacking and Defending the Microsoft Cloud and Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities at Scale.

Attacking and Defending the Microsoft Cloud, which focuses on protecting Office 365 and Azure Active Directory, explores the most common attacks against the cloud and describes effective defenses and mitigation. While it focuses on Microsoft, some topics apply to other providers. The speakers — Trimarc CTO Sean Metcalf, and Mark Morowczynski, a Principal Program Manager at Microsoft, will cover topics including account compromise and token theft; methods to detect attack activity; and secure cloud administration.

Meanwhile, Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities at Scale, outlines how Netflix identifies and eliminates vulnerabilities in the open source software components it uses in its applications at scale. The speaker, Aladdin Almubayed, is a Senior Application Security Engineer at Netflix who will describe the stages in Netflix’s automation strategy and the tools it uses.

Continue reading …

Black Hat USA 2019 offers a packed and impressive lineup of research briefings and hands-on training courses for the 19,000-plus security pros expected to attend this year’s event.

The training sessions provide both offensive and defensive skills that security pros can use to tackle critical threats affecting applications, IoT systems, cloud services, and more. Meanwhile, the briefing sessions feature cutting-edge research on the latest infosec risks and trends. All sessions are led by expert trainers and researchers.

To help attendees decide which sessions to choose, we’ve selected ten that we think will be particularly relevant and valuable for Qualys customers, and we’ll highlight one each week here on our blog. Here’s our first recommendation: Advanced Cloud Security And Applied Devsecops.

This highly technical course delves deep into practical cloud security and applied DevSecOps for enterprise-scale cloud deployments, and focuses on IaaS and PaaS.

“Real-world cloud security is most definitely not business as usual. The fundamental abstraction and automation used to build cloud platforms upends much of how we implement security. The same principles may apply, but how they apply is dramatically different, especially at enterprise scale,” reads the course abstract.

Continue reading …

Capital One prides itself on staying at the forefront of IT innovations to give its business a competitive edge.

For example, it adopted Agile software-development methodologies years ago, and uses artificial intelligence and machine learning. It was the first bank to implement a mobile wallet with “contactless” NFC payments, and to offer voice-activated financial transactions using Amazon’s Alexa. When 2018 ends, Capital One expects 80% of its IT infrastructure to be cloud based, allowing it to go from seven to two data centers.

Given its tech transformation track record, it’s not surprising that Capital One has embraced DevSecOps, embedding automated security checks into its DevOps pipeline. This effort has dramatically accelerated the process of assessing vulnerabilities and mis-configurations in its virtual machine images and containers.

As a result, the code created in the DevOps pipeline is certified as secure and released to production without unnecessary delays. This allows Capital One — one of the United States’ 10 largest banks, based on deposits — to consistently boost its business across the board by quickly and continuously improving its web properties, mobile apps, online services and digital offerings.

“This has provided a huge benefit to the entire company,” said Emmanuel Enaohwo, Senior Manager for Vulnerability/Configuration Management at Capital One, a Fortune 500 company based in McLean, Virginia that offers a broad spectrum of financial products and services to consumers, small businesses and commercial clients.

Read on to learn how the bank has automated vulnerability and compliance checks in its CI/CD software pipeline, helped by Qualys.

Continue reading …

With organizations aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, protecting these environments is critical for complying with the EU’s General Data Protection Regulation (GDPR).

GDPR, which went into effect in May, imposes strict requirements on millions of businesses worldwide that control and process the personal data of EU residents.

Public cloud platforms are being used to power digital transformation initiatives across many business functions where EU residents’ personal data is likely to be stored, processed and shared.

Thus, organizations need complete visibility into their public clouds, and they must have a solid security and compliance posture in these environments that includes vulnerability management, asset inventory, web app scanning, DevSecOps pipeline protection, and IT configuration controls.

Continue reading …

As organizations increase their use of public cloud platforms, they encounter cloud-specific security and compliance threats, which can be challenging to address without the right tools and processes.

Organizations’ cloud security difficulties lie in two main areas: Lack of visibility into their cloud assets and resources, and a misunderstanding of cloud providers’ shared security responsibility model. As a result, there have been a multitude of easily preventable security mishaps in public cloud deployments due to leaky storage buckets, misconfigured security groups, and erroneous user policies.

These security breakdowns have caused data breaches and other compromises at organizations large and small, including Verizon, Viacom, the Republican National Committee, Tesla and the U.S. Department of Defense. The key to protect public cloud workloads lies in adopting a cloud-native way of supporting and securing your resources in a hybrid IT environment, so as to have full visibility and control.

“Rather than having bifurcated tooling or bifurcated processes or even bifurcated teams, organizations need a unified view of their resources and security posture across on-premises and cloud environments,” Hari Srinivasan, Director of Product Management at Qualys, said during a recent webcast.

Read on to learn about cloud security challenges, best practices, and how Qualys can help you secure any infrastructure, at any scale, on-premises and in cloud, via a unified interface, using uniform standards and processes.

Continue reading …

This release of the Qualys Cloud Platform version 2.33 includes the release for CertView, plus updates and new features for AssetView, Cloud Agent, EC2 Connector, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows.  (This posting has been edited to include an update to WAS that is available in a patch release.)

Continue reading …

With organizations aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, protecting these environments is critical for compliance with the EU’s General Data Protection Regulation (GDPR).

These public cloud platforms are being used to power digital transformation initiatives across a wide variety of business functions, including supply chain management, customer support, employee collaboration, sales and marketing.

In all of these business tasks that are being digitally transformed in the cloud, customer personal data regulated by GDPR is likely to be stored, processed and shared.

Continue reading …

What does the “My Little Pony” television series and cyber security have in common? Ask Qualys Chief Product Officer Sumedh Thakar.

Whenever his 7-year old daughter wanted to see an episode of this show, the process involved multiple steps: Turning on the smart TV, scrolling through the app menu, picking Netflix, searching for “My Little Pony,” navigating the seasons and list of episodes, and finally clicking on the one she wanted to watch.

But that process became a thing of the past at Thakar’s house after he got a Google Home smart speaker and home assistant, and linked it up with his smart TV.  Now all his daughter needs to do is tell Google Home to play her favorite show on the living room TV, and all the steps are carried out in an automated, seamless way, without anyone even having to grab the TV remote control.

“That’s transparent,” Thakar said on Monday during his keynote speech at the Cloud Security Alliance (CSA) Summit being held at the RSA Conference in San Francisco.

Continue reading …

This release of the Qualys Cloud Platform version 2.32 includes updates and new features for AssetView, EC2 Connector, File Integrity Monitoring, Indication of Compromise, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows.  (Post updated 3/23 to include new FIM features for this release.)

Continue reading …

As cloud computing adoption accelerates among businesses, InfoSec teams are struggling to fully protect cloud workloads due to a lack of visibility into these environments, and to hackers’ increasingly effective attacks.

That’s the main finding from SANS Institute’s “Cloud Security: Defense in Detail if Not in Depth” report, which surveyed IT and security pros from organizations of all sizes representing many industries.

“We’re seeing more organizations moving to the cloud. They’re definitely moving quickly. And security teams aren’t wholly comfortable with the way cloud providers are giving us details about what’s going on in the environments,” report author Dave Shackleford, a SANS Institute analyst and instructor, said during a webcast to discuss the study findings.

Continue reading …