This release of the Qualys Cloud Platform version 2.39 includes updates and new features for Out-of-Band Configuration Assessment (OCA), Vulnerability Management, and Web Application Scanning, highlights as follows.
Cookies are ubiquitous in today’s modern web applications. If an attacker can acquire a user’s session cookie by exploiting a cross-site scripting (XSS) vulnerability, by sniffing an unencrypted HTTP connection, or by some other means, then they can potentially hijack a user’s valid session. Obviously, this can have negative implications for an organization and its users, including theft of sensitive application data or unauthorized/harmful actions.
Qualys Web Application Scanning reports when it discovers a cookie delivered over an HTTPS channel without the “secure” attribute set. This detection is useful for verifying correct coding practices for individual web applications & developers, and across your entire organization. Cookies marked with the secure attribute will never be sent over an unencrypted (non-HTTPS) connection, which keeps them safe from prying eyes that may be sniffing network traffic.
This release of the Qualys Cloud Platform version 2.35 includes updates and new features for AssetView, Cloud Agent, Security Assessment Questionnaire, and Web Application Scanning, highlights as follows. (Note: this post has been edited after publishing to remove the Rule-Based Method to Purge/Uninstall Cloud Assets and Cloud Agents, and Azure Cloud Connector, which will be available in a subsequent release.)
Cyber criminals are constantly looking for opportunities to infect legitimate websites with malware. They can use infected websites to cryptomine, steal data, hijack systems, deface pages, and do other damage to harm a company’s reputation and impact their users. This can result in lost revenue, and regulatory fines, and potentially drive customers away.
SiteLock researchers recently reported that a website is attacked on average almost 60 times per day, and that 1% of all websites — about 19 million globally — carry malware at any point in time. Those often include websites from large, well-known companies. For example, Newegg, British Airways and Ticketmaster all recently fell prey to the Magecart credit card skimming malware.
It’s clear that anti-virus software, firewalls, and other prevention tools are not enough to defend against the steady stream of ever-evolving malware. Even if a company’s website is secure from external attackers, this does not mean the website is safe from infection from third-party content providers or advertising used on the website.
Firewalls aren’t infallible, and neither are AV products. Perhaps most frustrating of all is that despite years of awareness training, employees still inadvertently click on malicious links and attachments, John Delaroderie, a Qualys Security Solutions Architect, said recently at Microsoft Ignite 2018.
“That’s why you need a superhero sidekick on your team — to find this malware, root it out at the source, and keep your website safe,” he said.
A new remote code execution vulnerability in Apache Struts 2, CVE-2018-11776, was disclosed yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.
Update August 24, 2018: A dashboard for this vulnerability is now available to download.
Qualys offers a wide array of security and compliance solutions for your organization. All capabilities are delivered from Qualys Cloud Platform. Visit Qualys Cloud Platform Apps to learn more.
But let’s narrow the discussion to web application security. To have a complete webappsec program, it’s important that ALL of your web applications have some level of security testing. Automated scans using Qualys Web Application Scanning (WAS) are perfect to meet this need given its cloud-based architecture, accuracy, and ability to scale. However, performing manual penetration testing against your most business-critical applications is highly recommended to supplement automated scanning. Manual analysis complements scanning by identifying security holes such as flaws in business logic or authorization that an automated scanner would be incapable of detecting.
One of the most popular tools for manual testing of web apps is Burp Suite Professional. This month Qualys introduced a Burp extension for Qualys WAS to easily import Burp-discovered issues into Qualys WAS. With this integration, Burp issues and WAS findings can be viewed centrally, and webappsec teams can perform integrated analysis of data from manual penetration testing and automated web application scans. The combined data set may also be programmatically extracted via the Qualys API for external analysis.