Qualys Blog

www.qualys.com
190 posts

Qualys Cloud Suite 8.9.1 New Features

This new patch release of the Qualys Cloud Suite, version 8.9.1, includes updates for Cloud-based scanner deployments, VM Reporting Enhancements, and expanded platform coverage for PC.

Cloud Platform: Added EC2 Proxy Server support for the connector and the ability to identify the provider for scanners deployed in cloud environments such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Vulnerability Management: Improvements from customer requests for a number of VM Reports and ability to set reopen date for Remediation Tickets.

Policy Compliance: Expanded platform coverage for Microsoft IIS 10, Pivotal Webserver 6, Docker and Windows Server 2016.

Continue reading …

Qualys Cloud Platform 2.19 New Features

Qualys Cloud Platform release 2.19 includes updates and new features for:

  • Cloud Agent Platform (Version 2.0.0)
  • Web Application Scanning (Version 4.13.0)

Continue reading …

Web and Mobile Apps Often Hide Complex Maze of Insecure Connections

To stay secure, organizations must gain control and visibility over their app landscape

For many years, Jason Kent used a good old-fashioned remote control clicker to open and close his garage door, but the mechanism recently got “appified” so he became curious about its security.

His interest isn’t surprising. After all, Kent is Qualys’ Vice President of Web Application Security, so this topic is near and dear to his heart, and it’s fair to say he knows a thing or two about these matters.

To appease his curiosity, he donned a black hoodie because, as he explained at RSA Conference 2016 Abu Dhabi in mid-November, “you have to look the part when you’re hacking IoT,” and he sat in his driveway to try to break into the app.

“I looked at the communication from my mobile app to my garage door through the cloud. I broke into the communication. I crafted a packet in my laptop. And the door opened,” he said during his presentation titled “Security in the App Era: Building Strength for an Interconnected World.”

Continue reading …

As Web Apps Become Top Data Breach Vector, Protecting Them is Critical

There’s one thing that businesses, their customers and cyber criminals have in common: They all love web applications. The reasons for their affection, of course, vary.

Web apps add agility to organizations’ operations such as sales, marketing and customer support, and make business transactions more convenient for customers. Meanwhile, hackers salivate at web apps’ often porous attack surfaces and at their links to backend databases full of confidential information.

With web apps now a key tool for millions of businesses, as well as a major target for criminals, a troubling trend is emerging: The number of successful attacks against them is rising, along with the costs to recover from the resulting data breaches.

As web services power digital transformations in B2B and B2C e-commerce, mobility, IoT and cloud computing, organizations must prioritize web app protection, which infosec teams have historically overlooked.

Continue reading …

BAI Security Eyes Threat Prioritization as Competitive Differentiator

BAI Security, a nationally-recognized security consultancy specializing in highly regulated industries, sees a big opportunity to further differentiate itself: threat prioritization.

Helping its customers pinpoint which vulnerabilities they must remediate right away is a natural expansion of the security auditing and compliance services it provides, such as breach risk, compromise and comprehensive IT security assessments.

“A lot of our competitors are just providing the vulnerability details without a lot of prioritization based on real world exploit activity,” says Michael Bruck, President and CTO of BAI Security.

At best, many security consultancies offer rudimentary prioritization analysis that, while better than nothing, still leaves customers with a lot of manual risk analysis on their hands. “So many organizations have dozens if not hundreds or thousands of ‘level 4’ and ‘level 5’ vulnerabilities,” Bruck says. “For IT departments with limited resources, tackling that is a huge challenge.”

Continue reading …

Qualys Cloud Platform 2.18 New Features

Qualys Cloud Platform release 2.18 includes updates and new features for:

  • Qualys Cloud Platform (Version 2.18.0)
  • AssetView and ThreatPROTECT (Version 2.18.0)
  • Security Assessment Questionnaire (Version 2.3.0)
  • Web Application Scanning (Version 4.12.0)

Continue reading …

Qualys Cloud Suite 8.9 New Features

This new release of the Qualys Cloud Suite, version 8.9, includes updates for usability and functionality across the platform as well as Vulnerability Management and Policy Compliance.

Cloud Platform: Several significant improvements are included in this release for Authentication including: SSH2 certificate support for UNIX authentication, Vault expansion to support Cyber-Ark AIM, Cisco NX-OS Authentication Records, along with improvements to MS SQL Authentication. Additionally, improvements to scan-related tasks including overlapping scan prevention and network support for external scanners are included in this release.

Vulnerability Management: This release is focused on features to simplify scan processing, improve asset identification, and expand remediation workflow options. A variety of reporting improvements from customer requests were also implemented.

Policy Compliance:  We’re excited to announce that Policy Compliance now supports tag-based asset association with policies! Additionally, we’ve expanded UDC coverage, added new platforms, improved scanning workflow, and added policy locking to meet auditor requirements. You can now also export UDC’s with your Policy export. Continue reading …

Agility and Flexibility Needed To Manage Risk Throughout Vendor Relationship Lifecycle

We conclude our series on assessing third-party risk, where we’ve described scenarios in which an automated, cloud-based system can help you identify security and compliance gaps among vendors, partners and employees.

As we have outlined in this blog series, CISOs and their infosec teams need clarity and visibility not only into their IT environments, but also across their roster of trusted vendors. Organizations that don’t properly assess and manage the risk of doing business with their vendors, partners, suppliers, contractors and other third parties make their IT network and data vulnerable to hackers.

Continue reading …

Security Is Tough, but Infosec Pros Can Find Joy in the Work

Anger. Frustration. Despondency. Hopelessness. Capitulation.

These are typical feelings experienced by infosec pros, as they deal with careless end users, impatient executives, emerging technology, budget constraints and understaffing.

“It’s tough out there,” said Mike Rothman, president of Securosis, an information security and analysis firm.

Continue reading …

Infosec Teams Need More Collaboration and Automation to Defend Their Organizations and Help Them Succeed

Infosec teams are under a figurative DDoS (distributed denial of service) attack caused by a variety of business and operational factors that overwhelm them and keep them from crafting strategies to address long-term challenges.

Instead, infosec pros spend most of their time at work doing “day-to-day” tasks due to issues like understaffing and an overload of security alerts, according to Joseph Blankenship, a Senior Analyst at Forrester Research.

Continue reading …