Capital One prides itself on staying at the forefront of IT innovations to give its business a competitive edge.

For example, it adopted Agile software-development methodologies years ago, and uses artificial intelligence and machine learning. It was the first bank to implement a mobile wallet with “contactless” NFC payments, and to offer voice-activated financial transactions using Amazon’s Alexa. When 2018 ends, Capital One expects 80% of its IT infrastructure to be cloud based, allowing it to go from seven to two data centers.

Given its tech transformation track record, it’s not surprising that Capital One has embraced DevSecOps, embedding automated security checks into its DevOps pipeline. This effort has dramatically accelerated the process of assessing vulnerabilities and mis-configurations in its virtual machine images and containers.

As a result, the code created in the DevOps pipeline is certified as secure and released to production without unnecessary delays. This allows Capital One — one of the United States’ 10 largest banks, based on deposits — to consistently boost its business across the board by quickly and continuously improving its web properties, mobile apps, online services and digital offerings.

“This has provided a huge benefit to the entire company,” said Emmanuel Enaohwo, Senior Manager for Vulnerability/Configuration Management at Capital One, a Fortune 500 company based in McLean, Virginia that offers a broad spectrum of financial products and services to consumers, small businesses and commercial clients.

Read on to learn how the bank has automated vulnerability and compliance checks in its CI/CD software pipeline, helped by Qualys.

Continue reading …

With DevOps adoption spreading, infosec teams are scrambling to address the new security challenges stemming from DevOps’ accelerated code development and app deployment. But while IT organizations have made notable progress adapting security to their DevOps processes, work remains to be done.

That’s a key finding from SANS Institute’s “Secure DevOps: Fact or Fiction” report, which was discussed recently in a two-day webcast (Part 1 & Part 2) co-sponsored by Qualys. A revealing statistic: Under 50% of respondent organizations have fully “shifted left” to embed security throughout their DevOps pipelines, a figure that should be higher.

“Security is still being built in at the end, whereas risk reduction should start earlier in the software development lifecycle,” said Barbara Filkins, a SANS analyst. With security in the early stages of application design, “we can eliminate many issues that we’d see at the back end,” she said.

Threading security throughout DevOps also preserves the benefits of continuous and quick software delivery, like improved customer support and employee productivity. 

“As a DevOps engineer, you’re looking to automate security at the speed of what business needs,” said Qualys Product Management Director Hari Srinivasan.

“The goal is enabling a transition from DevOps to secure DevOps that is factual, not fiction,” Filkins said.

Read on to learn about DevSecOps challenges, best practices and case studies.

Continue reading …

Qualys is expanding its security and compliance capabilities for Microsoft Azure, by adding protection for the on-premises Azure Stack and extending capabilities for public cloud deployments.

By using Qualys’ platform to defend hybrid IT environments, organizations get a unified view of their security posture, and can apply the same standards and processes on premises and in clouds.

“The advantages of doing so all within a single pane of glass is to reduce your total cost of ownership, and to have all the data in one place,” Hari Srinivasan, a Qualys Director of Product Management, said during a presentation at Microsoft’s Ignite 2018 conference.

That way, when a major attack like WannaCry is unleashed, organizations can quickly assess their risk and take action from a single console, instead of scrambling to assemble fragmented information from siloed tools.

Read on to learn more about Qualys’ comprehensive offerings for Azure.

Continue reading …

With container adoption booming, security teams must protect the applications that DevOps teams create and deploy using this method of OS virtualization. The security must be comprehensive across the entire container lifecycle, and built into the DevOps pipeline in a way that is seamless and unobtrusive.

Accomplishing this requires an understanding of Docker container technology and the adoption of processes and tools tailored for these environments. In a recent webcast, Qualys Director of Product Management Hari Srinivasan, an expert on cloud and container security, outlined container security risks, use cases, and best practices.

Read on to learn about Srinivasan’s recommendations for gaining visibility into container assets, doing vulnerability analysis, and detecting drifting runtimes across your DevOps pipeline.

Continue reading …

Black Hat attendees got a peek at Qualys Passive Network Sensor (PNS), a product that amplifies the already comprehensive IT asset visibility Qualys provides to its customers. By adding real-time network analysis to Qualys’ versatile set of sensors, PNS eliminates blind spots across IT environments through continuous traffic monitoring.

“Now you have instant visibility into every single asset that’s communicating on your network,” said Qualys’ Chief Product Officer Sumedh Thakar during a presentation on Passive Network Sensor at the conference.

The sensor extends the Qualys Cloud Platform’s broad spectrum of integrated security and compliance capabilities, further reducing Qualys customers’ needs for multi-vendor point products that are costly to manage and integrate.

Continue reading …

DevOps teams can’t get enough of containers — and for good reason. Faster and more efficient application development and deployment, as well as increased application portability, are some container technology benefits, which in turn help drive digital transformation efforts.

Container-based applications can be smaller, often focused on one or a few capabilities, and be more easily distributed across an IT environment. That’s why containers have facilitated the popularity of microservices, a type of architecture in which applications are structured as independent, small, modular services.

However, containers create their own set of security and compliance issues. These challenges include the use of un-validated software pulled from public repositories, which often contains unpatched vulnerabilities, and the deployment of containers with weak configurations. In addition, containers communicate directly with each other via exposed network ports in a way that bypasses host controls, and they’re hard to track because they’re so ephemeral.

This Thursday, Qualys will host a webcast, “Building Security into the 3 Phases of Container Deployment,” led by Hari Srinivasan, Director of Product Management, who’s our resident expert on container security.

In this webcast, Srinivasan will outline security use cases for containers at the build, registry, and runtime stages of DevOps pipelines. He will also explain the importance of having visibility into container assets, and of the need for container-native vulnerability analysis. Srinivasan will also address strategies to detect and address drifting runtimes.

Register for Thursday’s webcast, which begins at 10 am PT / 1 pm ET.

DevOps teams have embraced Docker container technology because it boosts speed, agility, and flexibility in app development and delivery. But it also creates security and compliance challenges.

“Containers are revolutionizing the IT landscape,” Hari Srinivasan, a Qualys Director of Product Management, said during QSC18 Virtual Edition. As the next big thing in IT, containers are seeing tremendous growth in adoption.

“Containers are lightweight, efficient, portable, and they boot faster, making it highly efficient and easy for developers to deploy their applications,” he said during his presentation “Securing Containers — From Build to Deployments.”

Containers are lighter than virtual machines because they can be spun up without provisioning a guest operating system for each one. For that reason, they also churn much more frequently.

With containers, applications can be smaller, focused on one or a few capabilities, and more portable, because they can be easily distributed across an IT environment, he said. That’s why containers have helped popularize microservices, a new architecture where applications are structured as independent, small, modular services.

Continue reading …

To properly and effectively protect DevOps pipelines, organizations can’t blindly apply conventional security processes they’ve used for traditional network perimeters. Since DevOps’ value is the speed and frequency with which code is created, updated and deployed, security must be re-thought so that it’s not a last step that slows down this process.

Hampering the agility of DevOps teams has terrible consequences. These teams produce the code that digitally transforms business tasks and makes them more innovative and efficient. Thus, it’s imperative for security to be built into — not bolted onto — the entire DevOps lifecycle, from planning, coding, testing, release and packaging, to deploying, operating and monitoring.

If security teams take existing processes and tools, and try to jam them into the DevOps pipeline, they’ll break the automation, agility and flexibility that DevOps brings. 

“This doesn’t work,” Qualys Vice President of Product Management Chris Carlson said during a recent webcast, in which he explained how security teams can seamlessly integrate security into DevOps using Qualys products.

Continue reading …

When a bank recently created a consumer mobile wallet, it built the entire project — from development to deployment — in the cloud, an increasingly common decision among enterprises.

A less common step taken by this multinational bank and Qualys customer was incorporating the security team from day one. It recognized that the safety of the application was as critical for its success as its feature functionality.

In doing so, this bank tackled a challenge that organizations face as they move workloads to public cloud platforms: Protecting these new cloud workloads as effectively as their on-premises systems, but with processes and tools that are effective in both environments.

In a recent webcast, SANS Institute and Qualys experts addressed this issue in detail, offering insights and recommendations for security teams faced with protecting hybrid IT infrastructures’ assets on premises and in public clouds.

Cloud adoption triggers new security needs

In pursuit of digital transformation benefits, organizations are aggressively moving more workloads to public clouds, expanding from straightforward software-as-a-service (SaaS) applications to more involved platform- and infrastructure-as-a-service (PaaS and IaaS) deployments.

As this happens, InfoSec teams find that safeguarding these environments can be complex. “Security teams have rallied around the idea that this is something they need to live with,” Dave Shackleford, a SANS analyst and instructor, said during the webcast.

Continue reading …

Organizations are aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, upping the ante for InfoSec teams, which must protect these new environments.

Driving this growth in cloud computing adoption is its essential role in digital transformation initiatives, which help businesses be more efficient, effective, flexible and innovative in areas like e-business, supply chain management, customer support and employee collaboration.

Digital transformation projects are typically delivered using web and mobile apps created in DevOps pipelines, where developers and operations staff work collaboratively at every step of the software lifecycle, releasing apps or app updates frequently.

But security must be integrated throughout the DevOps process — planning, coding, testing, releasing, deploying, monitoring — in an automated way, organically building it into the software lifecycle instead of bolting it on at the end.

That way, vulnerabilities, misconfigurations, policy violations, malware and other safety issues can be addressed before code is released, reducing the risk of exposing your organization and your customers to cyber attacks.

In a recent webcast, Hari Srinivasan, Qualys’ Director of Product Management for Cloud and Virtualization Security, explained how Qualys can help you secure your cloud and container deployments across your DevOps pipeline.

Continue reading …