Qualys Blog

www.qualys.com
10 posts

Virtual Patching: A Lifesaver for Web App Security

Here’s a common scenario organizations increasingly face: Too many web apps with too many vulnerabilities and no chance for immediate remediation.

In the interim, the organization is left exposed to potentially devastating breaches, at a time when web apps have become one of cyber attackers’ favorite targets.

Continue reading …

PCI DSS v3.2 & Migrating from SSL and Early TLS v1.1

SSL & Early TLS vulnerabilities such as QID 38628 “SSL/TLS Server supports TLSv1.0”\ will be marked as a Fail for PCI as of May 1, 2017 in accordance with the PCI DSS v3.2.  For existing implementations, merchants will be able to submit a PCI False Positive / Exception Request and provide proof of their Risk Mitigation & Migration Plan, which will result in a pass for PCI until June 30, 2018.

Continue reading …

Microsoft IIS 6.0 Buffer Overflow Zero Day

A new zero-day vulnerability (CVE-2017-7269) impacting Microsoft IIS 6.0 has been announced with proof-of-concept code. This vulnerability can only be exploited if WebDAV is enabled. IIS 6.0 is a component of Microsoft Windows Server 2003 (including R2.) Microsoft has ended support for Server 2003 on July 14, 2015, which means that this vulnerability will most likely not be patched. It is recommended that these systems be upgraded to a supported platform. The current workaround is to disable the WebDAV Web Service Extension if it is not needed by any web applications.

The Qualys Cloud Platform can help you detect the vulnerability, track and manage Server 2003 Assets, as well as block exploits against web-based vulnerabilities like this one.

Continue reading …

Protect Against Critical IIS 6.0 Buffer Overflow vulnerability (CVE-2017-7269) with Qualys WAF

Security researchers have disclosed a Buffer Overflow vulnerability (CVE-2017-7269) in the Microsoft Internet Information Service (IIS) 6.0 web server included in the Windows Server 2003 R2. Qualys Web Application Firewall (WAF) can help you block HTTP requests trying to exploit this vulnerability.

Continue reading …

Forrester’s DeMartine Talks DevOps, IoT, Flawed Tools and Other AppSec Hot Topics

After speaking at Qualys’ recent webinar  “Aligning Web Application Security with DevOps and IoT Trends,” Forrester’s Amy DeMartine granted us this Q&A, where she revisits and offers keen insights on issues including IoT security challenges and DevOps’ benefits for secure app dev. DeMartine, a Principal Analyst focused on security and risk professionals, also discusses “red teaming” for cloud products, and identifies signs you need a new automated security analysis tool.

Continue reading …

REST API Testing with Qualys Web Application Scanning

With more web applications exposing RESTful (or REST) APIs for ease of use, flexibility and scalability, it has become more important for web application security teams to test and secure those APIs. But APIs (including REST APIs) introduce some behaviors that make it difficult for web application scanners to test them for vulnerabilities.

New features in Qualys Web Application Scanning (WAS) overcome these difficulties.

Continue reading …

A Comprehensive Approach to Detect and Block the Struts Critical Vulnerability CVE-2017-5638

With hackers taking advantage of the Apache Struts vulnerability and aggressively attacking enterprises worldwide, Qualys can protect your organization from this critical bug, which is hard to detect and difficult to patch.

Recently disclosed, the Struts vulnerability is being actively attacked in the wild, as hackers jump at the chance to hit high-profile targets by exploiting this critical bug. Struts, an Apache open source framework for creating “enterprise-ready” Java web applications, is abundantly present in large Internet companies, government agencies and financial institutions.

For an informative walkthrough of the vulnerability and the Qualys detections, please view the Detect and Block Apache Struts Bug webcast recording.

Continue reading …

Smart DOM XSS Detection in Qualys WAS

Recently Qualys extended the cross-site scripting (XSS) detection capabilities of Qualys Web Application Scanning (WAS) by adding a new mechanism for detecting DOM based XSS (DOM XSS) vulnerabilities. The new mechanism works in an automated manner with no special setup or knowledge requirements, enabling security teams to greatly reduce the risk from these typically hard-to-detect vulnerabilities. Because of the technique Qualys WAS uses, it also indicates the location in your code of any XSS bugs found, which is pretty convenient for your development teams.

Continue reading …

Simplifying Web Application Security with Qualys Web Application Firewall 2.0

The completely redesigned Qualys Web Application Firewall (WAF) 2.0 provides greater confidence in application security through increased customization, one-click virtual patching ability, simplified controls and stronger security rules. Available now with these and other improvements, WAF 2.0 helps customers fend off hackers’ increasingly common, aggressive and destructive web app attacks.

Continue reading …

Cross-Site Request Forgery: What Happened to the Sleeping Giant?

A decade ago, cross-site request forgery (CSRF, often pronounced “c-surf”) was consideredCSRF to be a sleeping giant, preparing to wake and inflict havoc on the Worldwide Web.  But the doomsday scenario never materialized and you don’t even seem to hear much about it anymore.  In this blog post, part 1 of 2, I will explore this idea and try to understand why the CSRF giant never awoke.  First we’ll cover the overall threat landscape, trends, and some notable CSRF exploits throughout the years, including one from personal experience.

Continue reading …