All Posts

444 posts

Trusted scans simplified with Cyber-Ark PIM Suite integration

May 18, 2017: Please refer to Better Trusted Scanning with Qualys-CyberArk Integration.

April 29, 2013: Edited with new screenshot.

Trusted scans collect more detailed vulnerability information than “un-trusted” remote scans. That’s not surprising: with a trusted scan, the QualysGuard scanner logs into the target machine and reads configuration data including registry values and configuration files on the file system, just like a regular user session could. QualysGuard uses the configuration data to verify whether or not certain vulnerabilities exist. When running un-trusted remote scans, QualysGuard collects data by pinging network-accessible services on the target machine and interpreting the responses.  QualysGuard then reports security issues that a remote attacker might use to access those systems. This approach misses local vulnerabilities such as those requiring user interaction from the browser or email client. Also, the response sometimes indicates the machine has a potential vulnerability, but not whether it is a confirmed vulnerability. Often a configuration value available via a trusted scan is required to determine if the potential vulnerability can be ignored or should be classified as a confirmed vulnerability.

For policy compliance, QualysGuard always performs trusted scans because system configuration data is required to verify compliance checks, such as password strength. For vulnerability management (VM) scans, QualysGuard administrators can choose either trusted or remote scans. But they often perform remote scans, even though they would benefit from the more detailed data collected in trusted scans.

In large organizations where thousands of machines are scanned regularly for vulnerabilities, managing passwords is a challenge. Currently administrators must manually provide QualysGuard with login credentials for each asset to be scanned.  Password policies add more complexity; for example if a password ages out and gets changed, then those changes must be passed to QualysGuard so that its passwords remain current. The teams in charge of managing the scans usually don’t own the scanned machines.

Better Manageability with Cyber-Ark Integration

Using QualysGuard integration with Cyber-Ark Privileged Identity Management (PIM) Suite, management is simplified because organizations no longer need to store a copy of their passwords in QualysGuard. QualysGuard stores a pointer to the location of the password information in the Cyber-Ark Enterprise Password Vault® of the PIM suite, and the scanner appliance requests the password when it needs to perform the trusted scan.  Because passwords are maintained in the Cyber-Ark Enterprise Password Vault®, the organization can change passwords at will or by using any policy via Cyber-Ark without having to worry about synchronizing those changes to QualysGuard.


Increased Security, Control and Audit of Login Credentials

While QualysGuard has industry-leading protections on the data it stores, some organizations that are particularly sensitive to password controls now have the assurance the QualysGuard no longer needs to store passwords centrally.  In fact, an organization could set up a password policy to change its passwords via Cyber-Ark PIM Suite immediately after each password is used by QualysGuard to perform a trusted scan.

To revoke access, an administrator only needs to disable one user in Cyber-Ark  instead of changing the relevant password on each target machine. Cyber-Ark can also store an audit trail of all uses to the login credentials.

How it Works

Configurating Trusted Scans: Without the Cyber-Ark integration, an admin configures QualysGuard with the logins and passwords that will be used for the trusted scans. With the Cyber-Ark integration, the admin configures QualysGuard with the Cyber-Ark Enterprise Password Vault® server and the correct safe within the vault where the passwords are stored (see Figure 1) and the Windows or Unix authentication record specifying an authentication vault for a specific trusted scan (see Figure 2).


Figure 1 – Create a Cyber-Ark authentication vault record in QualysGuard


Figure 2 – Create a Windows or Unix authentication record specifying the use of an authentication vault

Running Trusted Scans: When the scan is ready to run, QualysGuard sends a request to the scanner appliance to run the trusted scan.  Instead of specifying the password of the target machine, QualysGuard specifies the IP address of the Cyber-Ark Enterprise Password Vault® server and the name of the safe.  The scanner appliance then passes this information to Cyber-Ark and requests the password for the given username, which it uses to log into the target machine and perform the trusted scan.  After performing the scan, the scanner deletes every trace of the password and sends the scan results back to QualysGuard. The process is done.

Better Information for Stronger Security

For organizations that currently perform trusted scans, password management is now easier and more secure. This integration will hopefully encourage organizations to expand their trusted scanning across their global assets to collect better vulnerability and compliance data from their systems.

Important Changes to PCI Scan Compliance – Sept 1st Deadline

The September 1, 2010 deadline is here and the new PCI DSS scanning changes announced by PCI SSC earlier this year go into effect today. The new ASV program guide 1.0 includes considerable changes to the way ASV scans are performed. A lot of attention has been given to scoping, discovery, scoring and attestations. These are great improvements and bring about a lot of uniformity and accountability in the scanning process even though it does add a certain amount of extra work on the merchant and the ASV.  Today we released QualysGuard PCI 5.0 to support the new requirements and help merchants easily navigate through the complexity these requirements bring about. All of us in engineering have been working on this release for the past few months, and we have put in considerable efforts to come up with a very cool UI to increase the interactivity and ease-of-use of the product, starting with the home page all the way to submitting the report for attestation. We are very excited about these new features and we hope you will like them as well. We welcome any feedback, so feel free respond to this post and ask questions or provide comments.

Let me summarize the new UI capabilities added to QualysGuard PCI 5.0 and discuss how these changes support the new ASV requirements for today’s deadline:


The new dashboard style homepage instantly presents a clear view of the current status of your network by showing whether you are passing or failing and what % of hosts are compliant. We also show counts of vulnerabilities under the new categorizations of High, Medium and Low. No matter how large your network, you can get this info without running any reports. The same applies to the SAQ dashboard, which shows how complete your questionnaire is, and how many YES/NO answers you have filled out. Also the new homepage is a great starting hub for all the important workflows like the asset wizard, SAQ wizard or starting a scan.



There are many new changes in the reports. New scoring criteria for vulnerabilities based on CVSS base score (High, Medium, Low). Reports now include clear information of passing/failing components as well as documenting false positives etc. In the application the main change is the interactivity of the reporting module with sliding panels for detailed information, as well as quick filters that help you search and sort on various criteria instantly. Navigation is very easy and pages are loaded without needing a full refresh of the screen. There is also a very useful graph of your current account summary highlighting the potentials and confirmed vulnerabilities. PCI council has made a clear statement now that ALL ASVs need to report potential vulnerabilities, which Qualys has always done from the beginning.



The new compliance report wizard walks you through every step of the process in an informative manner presenting the various tasks that need to be taken care of for the compliance report, including a way to fill out the mandatory merchant attestation. 'Special Notes' are required for certain type of software detected on the network. Merchants can provide a consolidated action plan for IPs that still fail compliance. The wizard will then walk you through the steps to attest the report and request a review of the report from the ASV. Given the extra steps I recommend merchants allow for an extra 3-5 days to get the review completed before they can download certified reports.



Assets Wizard:

A new workflow has been added to walk merchants through the process of identifying IPs and domains that are in scope for PCI compliance. providing the URL of your payment application is important so we can scan it for various web application vulnerabilities like SQL injection and XSS. There is a new discovery process that tries to identify other ips based on common host-names like www, mail, smtp and MX record lookup to provide merchant with option to include them in their account. Steps have been included to attest to load balancer settings as well as provide info on configuring IPS/IDS to allow for Qualys scanner ips as this is a requirement from the council.


False Positives Reporting Workflows:

The new requirements states that all approved false positives must be revalidated by the ASVs on a quarterly basis. In order to help you identify these expired false positives, we introduced new workflows with an easy-to-use false positive request tracking interface to identify them and resubmit for approval every 90 days.


Seamless Integration with QualysGuard:

Another important change is that now customers using QualysGuard to perform PCI scanning can continue to do so in QualysGuard, but must use QualysGuard PCI to generate certified reports and submit for attestation. As part of this release, we have added seamless integration between the two products to facilitate this attestation process and allow customers to continue to use QualysGuard (Enterprise, Express or Consultant) for PCI scanning. For more information, see Using QualysGuard PCI integration.

As you can see, these are all considerable changes and we hope they will help all our customers, as well as our ASV partners, that use QualysGuard in their PCI practices to become more efficient in managing PCI compliance. I have attempted to make a quick video highlighting the new QG PCI 5.0 UI as best as an engineer can :-) Please give us your feedback!!


PCI DSS to Address Virtualization in the Cloud

Today the PCI Council released a summary of the expected changes to PCI-DSS and PA-DSS v2.0 releases scheduled for October 2010. You can find the summary on their website.

Remember that this is just a list of the highlights of the proposed changes. The actual changes themselves will come later. The draft of the new DSS will be shared with the PCI community in September at the Orlando meeting and then likely to be published in October 2010. Changes will be expected to take effect Jan 2011.

Apart from bunch of interesting 'guidance', 'clarifications' and 'evolving requirements' what I found most interesting was the language around virtualization. Current requirement 2.2.1, with its language of "one primary function per server", has always been the thorn in the side of many merchants trying to catch up with technology and become more scalable and dynamic by using the powers of virtualization. What if you do want to put a virtual webserver and virtual database on the same physical server? Does it violate the "one function per server" requirement?

The PCI council had setup a SIG to deal with virtualization and it going to be awesome to finally see their recommendations getting incorporated into the DSS. We will have to wait and see the actual language in the new standard but it’s encouraging to see that PCI DSS is addressing the cloud and virtualization!  It will be interesting to see how that change affects other requirements like firewalls and pen testing and performing vulnerability scans of dynamic environments with images that are not up all the time. I suspect merchants will be able to use the 'sampling' route to comply with the other requirements.

In any case, I am looking forward to the PCI community meeting in Orlando to get more details on these changes and discuss them with the council and the community. And I hope the results will make quite a few merchants who want to fly to the 'cloud' very happy!


Qualys Technology Blog

Welcome to the Qualys Technology Blog, a team blog written by the thought leaders at Qualys.

This blog will expose to the Qualys Community some of the interesting technical projects under way at Qualys and some of the talented people behind those projects.  The focus of the articles will be to explain the technology and show how it is relevant and interesting.  And it will give community members a forum to engage with each other and with Qualys around new, cutting edge topics.