Back to qualys.com
398 posts

Jenkins Plugin v2 for Qualys WAS Now Available

We are pleased to announce that the Qualys WAS Jenkins plugin v2 is now available.  This version of the plugin introduces new features to facilitate automation, and a more user-friendly design.

Continue reading …

Qualys Policy Compliance Notification: Policy Library Update

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

The January release includes the following new policy and updates:

  • New CIS Benchmark for Ubuntu and PostgreSQL
  • Updates to almost 60 existing library policies

Qualys’ Certification Page at CIS has been updated.

Continue reading …

Qualys Cloud Platform 2.37 New Features

This release of the Qualys Cloud Platform version 2.37 includes updates and new features for Security Assessment Questionnaire and Web Application Scanning, highlights as follows.

Continue reading …

Know What’s on Your Network at All Times with Qualys Asset Inventory

Qualys has just launched a global IT asset inventory solution that offers full visibility across even the most hybrid, complex and distributed IT environments, addressing a challenge many security and IT teams face today.

When IT directors and CISOs look at their digitally transformed networks, they encounter many shadows that their legacy enterprise software tools can’t illuminate. These blind spots often include cloud workloads, containers, IoT systems, mobile devices, remote endpoints, and Operational Technology wares.

Because full visibility is essential for security, this foggy, fragmented view of a network makes the organization vulnerable to cyber attacks. Qualys Global IT Asset Inventory (AI) provides complete, continuous, structured and enriched asset inventory in hybrid environments.

“This is a really big deal because it’s the basis of security: If you don’t know what you have, you can’t secure it,” says Qualys Chief Product Officer Sumedh Thakar.

Justin Bendl, Senior Manager for Security & Compliance at Federal Home Loan Bank of Pittsburgh, says that Qualys AI has begun to assist the bank in expanding automation that provides real-time visibility into the completeness and accuracy of software assets.

“This automation is enhancing the bank’s overall control environment and further mitigating risks in a proactive manner,” Bendl says.

Philippe Courtot, Qualys Chairman and CEO, highlights the benefits of Qualys AI’s full integration with the Qualys Cloud Platform. “You will know instantly what assets connect to your network, and be able to assess their security and compliance posture in real-time, giving you unprecedented and essential visibility,” says.

Read on to learn more details about Qualys Global IT Asset Inventory and the use cases it’s designed for.

Continue reading …

RunC Container Breakout Vulnerability

Despite the huge advantages that containers offer in application portability, acceleration of CI/CD pipelines and agility of deployment environments, the biggest concern has always been about isolation. Since all the containers running on a host share the same underlying kernel, any malicious code breaking out of a container can compromise the entire host, and hence all the applications running on the host and potentially in the cluster.

That fear of container isolation failing to hold up turned out to be true yesterday when a vulnerability in runC was announced. runC is the key and most popular software component that most container engines rely on for spinning up containers on a host. The announced vulnerability allows an attacker to break out of the container isolation through a well-crafted attack (technical details of the vulnerability and the exploit are at https://seclists.org/oss-sec/2019/q1/119) and compromise the entire host. The vulnerability is particularly nasty because it is not covered by the default AppArmor or SELinux kernel-enforced sandboxing policies.

Continue reading …

Assess Vulnerabilities, Misconfigurations in AWS Golden AMI Pipelines

Today we’re starting a blog series focused on how to integrate Qualys solutions into DevSecOps for securing cloud infrastructures. In this initial post, we’ll discuss the importance of assessing vulnerabilities and misconfigurations on AWS pipelines.

When developing golden Amazon Machine Images (AMIs), DevOps teams should run continuous and automated checks to eliminate vulnerabilities and misconfigurations in them. It’s a critical security and compliance practice that Qualys recommends its customers adopt. 

To that end, Qualys partnered with Amazon to integrate the AWS Golden Amazon Machine Image Pipeline reference architecture with Qualys scanners for vulnerability and configuration compliance assessment.

The result: Qualys has just published a GitHub repository and documentation for implementing Qualys scanning of instances in a golden AMI pipeline. This will help customers detect and fix critical vulnerabilities and compliance issues in the image creation pipeline, before they reach production environments.

Continue reading …

Qualys Policy Compliance Notification: Policy Library Update

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

Continue reading …

Qualys Cloud Platform 2.36 New Features

This release of the Qualys Cloud Platform version 2.36 includes updates and new features for AssetView (Cloud Assets and Cloud Agents) and Web Application Scanning, highlights as follows.

Continue reading …

Policy Compliance Adds UDC Support for Cloud Agent

Qualys is extending the Cloud Agent capabilities for users of the Policy Compliance (PC) application by letting them define controls.

Until now, the Cloud Agent could only assess Qualys PC’s “out of the box” controls. By adding support for user defined controls (UDC), Qualys PC users now can use Cloud Agents to evaluate those types of controls. UDCs allows users to create their own controls dynamically, as needed, without having to submit control requests to Qualys development.

The UDC controls you’ve already defined in your Qualys Policy Compliance account for compliance scanning will also be evaluated by Qualys Cloud Agent with no action required from you.

Continue reading …

Qualys Cloud Platform (VM, PC) 8.17 New Features

Qualys Cloud Platform (VM, PC) version 8.17 contains various feature enhancements in Qualys Vulnerability Management and Qualys Policy Compliance. In addition, this release also lowers the time required before pausing or canceling an ongoing scan. Previously, scheduled scans could be cancelled or paused after a minimum of one hour from its start time.

Continue reading …