After the publication of Golden AMI Pipeline integration with Qualys, some Qualys customers reached out asking how to integrate Qualys Vulnerability Management scanning into other types of CI/CD Pipelines. To answer these questions, we’ve published the new guide, Assess Vulnerabilities and Misconfiguration in CI/CD Pipelines.
With Black Hat USA 2019 now in progress, we wrap up this blog series with our final two session recommendations: Attacking and Defending the Microsoft Cloud and Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities at Scale.
Attacking and Defending the Microsoft Cloud, which focuses on protecting Office 365 and Azure Active Directory, explores the most common attacks against the cloud and describes effective defenses and mitigation. While it focuses on Microsoft, some topics apply to other providers. The speakers — Trimarc CTO Sean Metcalf, and Mark Morowczynski, a Principal Program Manager at Microsoft, will cover topics including account compromise and token theft; methods to detect attack activity; and secure cloud administration.
Meanwhile, Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities at Scale, outlines how Netflix identifies and eliminates vulnerabilities in the open source software components it uses in its applications at scale. The speaker, Aladdin Almubayed, is a Senior Application Security Engineer at Netflix who will describe the stages in Netflix’s automation strategy and the tools it uses.
Black Hat USA 2019 is still two months away, but it’s never too early for attendees to start planning their schedule. That’s why each week we’re recommending one session from the scores of research briefings and training courses that will be offered at the conference. Following our first pick last week, here’s our second recommendation: Attacking and Securing APIs.
This hands-on, two-day course will teach participants how to build secure web and cloud APIs, which is increasingly important as their usage skyrockets. The instructor is Mohammed Aldoub, a security consultant and trainer with 10 years of experience who worked on Kuwait’s national cyber security infrastructure and focuses on APIs, secure DevOps, cloud security and cryptography.
The course is designed for software developers, security engineers, bug bounty hunters and others. Key takeaways include creating secure web APIs and microservices infrastructure; assessing the security of API implementation and configuration; and using cloud-native tools and infrastructure to deliver secure APIs.
Is your security team struggling to decide which projects will slash risk the most without breaking the bank? If so, we believe your security leaders can end analysis paralysis by perusing Gartner’s “Top 10 Security Projects for 2019” report. As its title states, the report recommends ten security projects for 2019, and the projects selected are supported by technologies available today, address the changing needs of cybersecurity and support what Gartner calls a CARTA (Continuous Adaptive Risk and Trust Assessment) strategic approach through risk prioritization.
Below we highlight five of the projects, provide Gartner’s take, offer our opinion, and explain how Qualys can help you implement them.
(This is a guest post by Grant Johnson, Director, Risk & Compliance at Ancestry)
Over the past two years, Ancestry moved its entire applications and data infrastructure from local data centers to Amazon’s cloud, and this required a new approach for managing vulnerabilities in our DevOps pipeline. In the hopes that our insights will help security teams embarking on this path, this article details the challenges we faced and the best practices that helped us succeed, including:
- the benefits of replacing production AMIs with new ones instead of patching them;
- the importance of making security an enabler of agile, cloud processes like DevOps;
- and effective ways to get DevOps team members and senior leaders to buy into your risk reduction strategy.
Read on to learn how, with Qualys’ help, we streamlined and automated vulnerability fixes, resulting in a steep drop in the number of high severity bugs in our production applications.
Qualys is expanding its security and compliance capabilities for Microsoft Azure, by adding protection for the on-premises Azure Stack and extending capabilities for public cloud deployments.
By using Qualys’ platform to defend hybrid IT environments, organizations get a unified view of their security posture, and can apply the same standards and processes on premises and in clouds.
“The advantages of doing so all within a single pane of glass is to reduce your total cost of ownership, and to have all the data in one place,” Hari Srinivasan, a Qualys Director of Product Management, said during a presentation at Microsoft’s Ignite 2018 conference.
That way, when a major attack like WannaCry is unleashed, organizations can quickly assess their risk and take action from a single console, instead of scrambling to assemble fragmented information from siloed tools.
Read on to learn more about Qualys’ comprehensive offerings for Azure.
With organizations aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, protecting these environments is critical for complying with the EU’s General Data Protection Regulation (GDPR).
GDPR, which went into effect in May, imposes strict requirements on millions of businesses worldwide that control and process the personal data of EU residents.
Public cloud platforms are being used to power digital transformation initiatives across many business functions where EU residents’ personal data is likely to be stored, processed and shared.
Thus, organizations need complete visibility into their public clouds, and they must have a solid security and compliance posture in these environments that includes vulnerability management, asset inventory, web app scanning, DevSecOps pipeline protection, and IT configuration controls.
As organizations increase their use of public cloud platforms, they encounter cloud-specific security and compliance threats, which can be challenging to address without the right tools and processes.
Organizations’ cloud security difficulties lie in two main areas: Lack of visibility into their cloud assets and resources, and a misunderstanding of cloud providers’ shared security responsibility model. As a result, there have been a multitude of easily preventable security mishaps in public cloud deployments due to leaky storage buckets, misconfigured security groups, and erroneous user policies.
These security breakdowns have caused data breaches and other compromises at organizations large and small, including Verizon, Viacom, the Republican National Committee, Tesla and the U.S. Department of Defense. The key to protect public cloud workloads lies in adopting a cloud-native way of supporting and securing your resources in a hybrid IT environment, so as to have full visibility and control.
“Rather than having bifurcated tooling or bifurcated processes or even bifurcated teams, organizations need a unified view of their resources and security posture across on-premises and cloud environments,” Hari Srinivasan, Director of Product Management at Qualys, said during a recent webcast.
Read on to learn about cloud security challenges, best practices, and how Qualys can help you secure any infrastructure, at any scale, on-premises and in cloud, via a unified interface, using uniform standards and processes.
With organizations aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, protecting these environments is critical for compliance with the EU’s General Data Protection Regulation (GDPR).
These public cloud platforms are being used to power digital transformation initiatives across a wide variety of business functions, including supply chain management, customer support, employee collaboration, sales and marketing.
In all of these business tasks that are being digitally transformed in the cloud, customer personal data regulated by GDPR is likely to be stored, processed and shared.
As cloud computing adoption accelerates among businesses, InfoSec teams are struggling to fully protect cloud workloads due to a lack of visibility into these environments, and to hackers’ increasingly effective attacks.
That’s the main finding from SANS Institute’s “Cloud Security: Defense in Detail if Not in Depth” report, which surveyed IT and security pros from organizations of all sizes representing many industries.
“We’re seeing more organizations moving to the cloud. They’re definitely moving quickly. And security teams aren’t wholly comfortable with the way cloud providers are giving us details about what’s going on in the environments,” report author Dave Shackleford, a SANS Institute analyst and instructor, said during a webcast to discuss the study findings.