Cookies are ubiquitous in today’s modern web applications. If an attacker can acquire a user’s session cookie by exploiting a cross-site scripting (XSS) vulnerability, by sniffing an unencrypted HTTP connection, or by some other means, then they can potentially hijack a user’s valid session. Obviously, this can have negative implications for an organization and its users, including theft of sensitive application data or unauthorized/harmful actions.

Qualys Web Application Scanning reports when it discovers a cookie delivered over an HTTPS channel without the “secure” attribute set. This detection is useful for verifying correct coding practices for individual web applications & developers, and across your entire organization. Cookies marked with the secure attribute will never be sent over an unencrypted (non-HTTPS) connection, which keeps them safe from prying eyes that may be sniffing network traffic.

Continue reading …

This release of the Qualys Cloud Platform version 2.35 includes updates and new features for AssetView, Cloud Agent, Security Assessment Questionnaire, and Web Application Scanning, highlights as follows.  (Note: this post has been edited after publishing to remove the Rule-Based Method to Purge/Uninstall Cloud Assets and Cloud Agents, and Azure Cloud Connector, which will be available in a subsequent release.)

Continue reading …

Qualys offers a wide array of security and compliance solutions for your organization.  All capabilities are delivered from Qualys Cloud Platform.  Visit Qualys Cloud Platform Apps to learn more.

But let’s narrow the discussion to web application security.  To have a complete webappsec program, it’s important that ALL of your web applications have some level of security testing.  Automated scans using Qualys Web Application Scanning (WAS) are perfect to meet this need given its cloud-based architecture, accuracy, and ability to scale.  However, performing manual penetration testing against your most business-critical applications is highly recommended to supplement automated scanning.  Manual analysis complements scanning by identifying security holes such as flaws in business logic or authorization that an automated scanner would be incapable of detecting.

One of the most popular tools for manual testing of web apps is Burp Suite Professional. This month Qualys introduced a Burp extension for Qualys WAS to easily import Burp-discovered issues into Qualys WAS.  With this integration, Burp issues and WAS findings can be viewed centrally, and webappsec teams can perform integrated analysis of data from manual penetration testing and automated web application scans. The combined data set may also be programmatically extracted via the Qualys API for external analysis.

Continue reading …

This release of the Qualys Cloud Platform version 2.34 includes updates and new features for Cloud Agent, EC2 Connector, Continuous Monitoring, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows.

Continue reading …

With web and mobile apps becoming a preferred vector for data breaches, organizations must include application security in their plans for complying with the EU’s General Data Protection Regulation (GDPR.)

GDPR went into effect in May, imposing strict requirements on millions of businesses worldwide that control and process the personal data of EU residents.

While GDPR makes only a few, vague references to technology, it’s clear that, for compliance, infosec teams must demonstrate that their organizations are doing their best to prevent accidental or malicious misuse of EU residents’ personal data.

Thus, organizations must have a rock-solid security foundation for superior data breach prevention and detection, and web application security has to be a core component of it.

Continue reading …

This release of the Qualys Cloud Platform version 2.32 includes updates and new features for AssetView, EC2 Connector, File Integrity Monitoring, Indication of Compromise, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows.  (Post updated 3/23 to include new FIM features for this release.)

Continue reading …

In the new 2017 edition of the OWASP Top 10, XML External Entities (XXE) make their first appearance at #A4 on the list. Qualys is pleased to announce that Qualys Web Application Scanning (WAS) engine 4.4 includes new detection capabilities for XXE vulnerabilities.

Continue reading …

“To know what is right and not do it is the worst cowardice.”

That phrase was uttered by Confucius 2,500 years ago, but reflects the spirit behind a recent revamp of a Cisco web app development process that made it more effective and secure.

“This is important as we talk about the secure software development lifecycle, because we weren’t doing what we needed to do, even though we knew what was right,” said Robert Martin, security engineer in Cisco’s Government Trust and Technology Services group.

In a nutshell, the process had fallen into a vicious cycle that pleased no one: Little communication between developers and security pros, combined with late vulnerability scans, yielded buggy software that had to be belatedly fixed, leading to missed deployment deadlines.

“We were making the same mistakes over and over again, and we weren’t making any corrections,” Martin said.

Sound familiar? This is a scenario in which countless organizations have found themselves. After years of using a linear, siloed model for creating and releasing software, organizations discover that this approach doesn’t work well in the era of rapid, agile web development and deployment.

To the credit of Martin and his group, they did something about this, instead of simply plodding along and settling for the status quo.

Continue reading …

Qualys Product Management Director Tim White and SANS Institute Analyst John Pescatore did a deep dive into the Center for Internet Security’s Critical Security Controls during a recent webcast, and answered questions from audience members about these 20 foundational security practices, and about the importance of maintaining basic security hygiene.

In this blog post, we’re providing edited transcripts of their answers to all the questions, including those that they didn’t have time to address during the one-hour webcast, which was titled “Automating CIS Critical Security Controls for Threat Remediation and Enhanced Compliance.” We hope you find their explanations insightful and useful.

In addition, if you didn’t catch the webcast live, we invite you to listen to the CIS controls webcast recording. We also encourage you to download a copy of a highly detailed guide that maps the CIS controls and sub-controls directly to specific features in Qualys apps.

Continue reading …

The new version of Qualys Web Application Scanning, WAS 5.7, adds an integration with Bugcrowd for centralized viewing and triaging of both WAS automated vulnerability detections and vulnerabilities submitted by Bugcrowd’s approved security researchers.

Continue reading …