Qualys® Newsletter Blog

Call for Papers: Qualys Security Conference 2015

community-admin@qualys.com — Mon, 11 May 2015 15:00:08 +0000

Our annual user conference, QSC15 is quickly approaching and we are looking for presentations on hot topics related to security, best practices and case studies leveraging the use of Qualys technologies.

If you would like to be considered as a presenter, please send a session title and short abstract to Melissa Liton at mliton@qualys.com. The CFP is open until August 10, 2015.

This year’s event will be held at the Aria Hotel and Convention Center October 8-9, in Las Vegas. QSC is a unique event with the main purpose to connect our customers and partners with our engineers and leading industry experts. To learn more about Qualys Security Conference, see the QSC14 highlights reel.

SSL News Roundup

community-admin@qualys.com — Fri, 20 Mar 2015 17:42:30 +0000

Here's a summary of this week's SSL news, in case you missed any of it:

SSL Labs API Available

Qualys SSL Labs now includes free assessment APIs, accompanied by a free open source tool that can be used for bulk and automated testing of websites. These APIs and tool are already being used to consolidate testing of websites, detect changes in results and get notifications when certificates expire. And we continue to see public reports of poor SSL configurations, with the goal of motivating companies to improve their security. Here's an article from eWeek.

Hide the remainder of this article

Best Practices

Qualys' Ivan Ristic wrote in CSO Online magazine about the top 4 super-important things to get right in your SSL configuration. And if you've already got those under control, see the complete SSL/TLS Deployment Best Practices guide at SSL Labs.

OpenSSL

The OpenSSL project released updates for four versions of the software, covering 12 security fixes for vulnerabilities reported to them in recent months by several cybersecurity researchers. Fortunately, the issues were not as severe as people thought.

SSL Pulse Updates

From our friends at SSL Pulse come updates to their continuous and global dashboard for monitoring the quality of SSL support across the top one million web sites: new graphs for Protocol Downgrade Defense & OCSP Stapling, plus an updated graph for Key Exchange Strength. For details, see the help pop-ups in the headline of each graph.

Webcast March 26: Detecting & Addressing Unsafe SSL Configurations

SSL and security experts Ivan Ristic (SSL Labs), Wolfgang Kandek (Qualys CTO) and Jonathan Trull (Qualys CISO) discuss the state of SSL encryption, how major problems are being addressed and new features in Qualys SSL Labs.

Thursday, March 26 at 10am Pacific

Call for Customer Presenters in Qualys Booth at RSA Conference 2015

community-admin@qualys.com — Mon, 09 Mar 2015 18:09:56 +0000

Are you a Qualys customer with an interesting story to tell about how Qualys has helped your organization improve its security posture?

If yes, we would love to have you speak in the Qualys Booth at RSA Conference 2015 in San Francisco, April 20-24, 2015.

Hide the remainder of this article

How It Works

We're looking for customers who are excited to tell their story with slides and/or a short demo for about 20 minutes on two or three different days during RSA Conference. You'll present in the Qualys booth, and can expect 30-50 people in the audience. As a thank you for your time and effort, Qualys would like to offer you a full conference pass to RSA Conference, and to pay for your travel and hotel accommodations. And of course you'll get recognition for your success, plus questions and feedback from the audience at the end of your presentation.

Propose Your Topic

If you're interested, please send your proposed presentation topic and a short paragraph describing what you'd like to cover to Melissa Liton (or mliton@qualys.com) before Monday, March 16, and she will get in touch with you.

Thank you, and we look forward to having some great customer stories at RSA Conference!

Qualys Named a Finalist for Seven 2015 SC Awards

community-admin@qualys.com — Fri, 13 Feb 2015 19:05:19 +0000

Qualys has been named a finalist in seven categories for the 2015 SC Awards which recognizes outstanding leadership and achievement in information security. In addition to being named a finalist for the coveted Best Security Company of the Year, Qualys is also a finalist in the following categories: Best Customer Service, Best Vulnerability Management Solution, Best Policy Compliance Solution, Best Risk/Policy Management Solution, Best SME Security Solution, Best Enterprise Security Solution and Best Regulatory Compliance Solution.

The SC Awards is one of the information security industry’s most prominent recognition for cybersecurity professionals, products and services. The awards recognize the achievements of security professionals in the field, the innovations happening in the vendor and service provider communities, and the vigilant work of government, commercial and nonprofit entities. Winners of this year’s SC Awards U.S. will be announced at a gala dinner and award ceremony to be held in San Francisco on April 21, 2015.

Black Hat USA 2014: Security Risks of the Internet of Things

community-admin@qualys.com — Wed, 20 Aug 2014 15:28:56 +0000

Black Hat USA 2014 is one of the most widely attended security conferences of the year and this year there were a number of interesting briefings on a variety of topics such as automotive attack surfaces, POS malware, cloudbots and more. Qualys presented two pieces of research surrounding TSA vulnerabilities as well as hacking physical devices such as keyless cars and home alarm systems.

Hide the remainder of this article

Here’s a recap:

TSA Vulnerabilities

One of the most talked about briefings of the event came from Qualys’ Director of Threat Intelligence Billy Rios who presented his findings on TSA vulnerabilities in, Pulling Back the Curtain on Airport Security: Can a Weapon get Past TSA? Speaking to a standing-room only crowd, Rios outlined how modern TSA airport security devices and networks operate and revealed some of the potential vulnerabilities and risks he discovered in scanning devices. His research and subsequent talk generated lots of interest from attendees and media alike including: BBC, Bloomberg BusinessWeek and Forbes.

Keyless Car Vulnerabilities

Silvio Cesare Director of Anti-Malware Engineering for Qualys showcased his research on how he was able to break into a number of household and common devices such as a popular model car and home alarm systems in his talk, Breaking the Security of Physical Devices. He also discussed ways of mitigating these attacks and avoiding the bad and buying the good. You can check out a preview video of his talk or read about it in USA Today, WIRED and The Telegraph.

Continuous Security

Jonathan Trull, CISO for Qualys, talked about the importance of continuously monitoring the global perimeter in his talk, Building a Continuous Security Program for your Global Perimeter. Trull discussed why organizations should adopt a continuous security practice and how to create a blueprint that spans the entire lifecycle, from discovering assets to prioritizing issues and mitigating exploits.

These talks, along with the other briefings at Black Hat highlight the growing security risks associated with the evolving world of “Internet of Things.” As more and more everyday devices (think home appliances, wearables, baby monitors, etc.) are connected to the Internet, the technological challenge of securing the devices and data becomes critical. If the Black Hat conference agenda was any indicator, this is only the tip of the spear with a long road ahead.

Gartner Security & Risk Management Summit

community-admin@qualys.com — Mon, 02 Jun 2014 18:46:00 +0000

The lineup of sessions at Gartner Security & Risk Management Summit includes three presentations from Qualys. We are excited to participate in the conference, and look forward to seeing you!

Hide the remainder of this article

Prevent Breaches with a Sustainable Continuous Security Program

Corey Bodzin, Qualys, VP of Product Management

Monday, June 23, 1:35 PM

Historically, IT security has revolved around events like Patch Tuesday or Heartbleed. While it is accepted that cybersecurity must move from periodic projects to a continuous process, this evolution has been blocked by insufficient resources to manage the software or analyze the data. This session will showcase how cloud-based QualysGuard Continuous Monitoring helps organizations establish a global continuous security program that is pervasive and resource-efficient, helping them detect threats and prevent breaches.

Rapid Response to Heartbleed : A CISO Panel Discussion

Wolfgang Kandek, Qualys, CTO

Mike Curry, State Street Bank, VP of Information Security

Trace Ridpath, State of Colorado, Interim CISO

Tuesday, June 24, 9:45 AM

Heartbleed hit the Internet without warning, creating havoc and raising awareness from consumers to CEOs. In this session, IT leaders from business and government will discuss how they addressed Heartbleed, how they continue to monitor it, and what lessons were learned that can prepare us for the next inevitable Internet shock. New Heartbleed statistics derived from millions of scans performed by Qualys SSL Labs will also be unveiled.

Cyber-Hygiene Through Continuous Auditing

Jonathan Trull, Qualys CISO

Wednesday, June 25, 11:30 AM

According to the U.S. government, 96 percent of successful breaches can be avoided through basic cyber-hygiene, such as vulnerability and configuration management, but threats evolve so quickly that information security and risk management teams struggle to keep track of their posture. During this session we will discuss how to implement continuous auditing as the cornerstone of an effective cyber-hygiene program. We will also enumerate best practices for achieving cost-effective real-time situational awareness.

Qualys Hospitality Suite at Gartner

In addition to the sessions, Qualys cordially invites you to visit our hospitality suite, Safari on the Serengeti, on Tuesday, June 24 at 5:45 PM.

Put on your khakis and start up the Land Rover, Qualys is taking you on a safari! Let us be your expert guide through the wild world of cybersecurity and the Serengeti. Enjoy themed cocktails and appetizers with your peers as well as unique surprises throughout the evening (sorry, no charging rhinos though!). Your adventure will conclude with a drawing for a 2014 Vespa Scooter.

We hope you can join us!

Welcome to the New and Improved Qualys Community

community-admin@qualys.com — Wed, 14 May 2014 17:20:58 +0000

Qualys Community just got upgraded!

You're seeing the new, cleaner design with full-width content that makes it easier to find answers to your questions and to connect with your IT security peers.

Read on to learn how to get the most out of your Qualys Community experience:

Easier Navigation
Mobile Access
Search
Subscriptions

And of course, please ask if you have questions or feedback or suggestions. The Qualys Community team wants to make Qualys Community as helpful and seamless for you as possible.

Hide the remainder of this article

Easier Navigation

The Discussions page and the Content tab in any community, e.g. the Policy Compliance content tab, add new filters to help you focus into the information you need quickly and easily. New list and card views provide a more visual and intuitive way to parse and organize content, and to find what you're looking for.

The same kinds of controls make it easier to find other community members to collaborate with.

And the Qualys Blog has been consolidated into a single, cohesive whole, also with new global filters that make it easy to find posts by topic, author, date and tag.

Mobile Access

Access Qualys Community from your smartphone or tablet by pointing your mobile browser at https://community.qualys.com/ (which redirects to https://qualys.jive-mobile.com/). Key community functions are easily performed on the mobile-optimized interface:

Navigate the site, search, and view Activity and Inbox.

Browse, follow, create and reply to discussions.

Improved search

New spotlight search, i.e. the search box in the top banner of every page, and also shown at left, displays search results directly below the search box as you type, including content, members and communities. In one click, you can restrict results to only the community where you are currently searching. Spotlight search also shows your recently and frequently viewed content and bookmarks.

Once you hit enter, you see a new search results page with simple filters for content type, author, community and time modified, plus a sort-by control.

Behind the scenes, search now uses knowledge of the user's community context to provide more relevant search results, so search should provide you with better results now.

Subscribe to What You Want to See

Subscribe to any discussion, document, blog, or community by clicking the Follow button you find on any page.

Then click Inbox & Activity in the drop-down under your username to see the latest updates from everything you've subscribed to. Sets of subscriptions are called streams.

The streams organize all of the community threads, documents and blog posts that you're interested in so that you can easily read them in one place.

In the example below, you can see my two default streams that you start with: Connections, which displays all updates for everything I subscribed to; and Inbox, which also sends me an email. If you had "email watches" from before the upgrade, they will be in a third stream called, appropriately enough, Email Watches. Your inbox also contains all of your private messages, and will continue to be where you receive private messages (now called simply messages).

You can create additional streams if you want separate areas for different types of subscriptions. And you can create new streams, add or remove subscriptions in a stream, turn email alerts on and off, all directly from the Inbox & Activity page.

If you have any questions, feedback or suggestions, please let us know!

Qualys at RSA Conference 2014

community-admin@qualys.com — Mon, 03 Mar 2014 18:37:36 +0000

To help keep track of what happened at RSA Conference 2014, here's a quick list of Qualys' activities over the week:

Conference Events

Qualys CEO keynote: View Philippe Courtot's keynote presentation on-demand.
Automating the 20 Critical Security Controls: Download the slides from Wolfgang Kandek's RSA Conference session.
Book Signings:
- Cybersecurity and Cyberwar with authors P.W. Singer and Allan Friedman
- Fatal System Error with author and Reuters journalist Joseph Menn
- Anti-Hacker Tool Kit, Fourth Edition with author Mike Shema

Customer Reception

New Blog Posts from Qualys Community

SSL Labs: Testing for Apple's TLS Authentication Bug: Updates to SSL Labs let you test for this newly-discovered (and now patched) bug.

MediaWiki DjVu and PDF File Upload Remote Code Execution Vulnerability: Deep-dive into only the third remote code execution vulnerability ever found to affect the MediaWiki platform.

Announcements

QualysGuard Continuous Monitoring enables customers to continuously monitor mission-critical assets throughout their perimeter and immediately get alerted to anomalies that could expose them to cyber attacks.

Sign up for the beta.
Read the announcement.

QualysGuard Web Application Firewall offers rapid deployment of robust security for web applications with minimal cost of ownership, and is constantly updated with new rules to keep up with application updates and newly emerging threats.

Sign up for a free trial.
View the features overview.
Read the announcement and blog post.

Top 4 Security Controls helps organizations quickly determine if the PCs in their environments have properly implemented the Top 4 Critical Security Controls, which the Council on CyberSecurity estimates can help companies prevent 85% of cyber-attacks. The Top 4 Security Controls are released in collaboration with the SANS Institute and the Council on CyberSecurity.

Sign up for Top 4 Security Controls.
Read the announcement.

2014 SC Magazine Awards

Qualys named Best Security Company.

Partnerships

Risk I/O: For businesses that need to understand the vulnerability and threat risks of their organization’s perimeter in real-time, the new integration enables them to sync their vulnerability data with Risk I/O’s threat processing engine, allowing organizations to gain visibility into their most likely vector for a breach.
AlgoSec Partners: The integration provides visibility into the risk levels of data center applications, enabling IT and security teams to effectively communicate with business stakeholders so they can “own their risk” by quickly taking the actions needed to mitigate IT security issues.

Qualys Wins Best Security Company at SC Magazine Awards

community-admin@qualys.com — Fri, 28 Feb 2014 17:57:18 +0000

Qualys is proud to announce that it was named Best Security Company earlier this week at the 2014 SC Magazine Awards. The awards acknowledge companies with superior security products that help customers tackle today’s most pressing information-technology (IT) challenges. The announcement was made on February 25, 2014 at the 17th annual SC Awards U.S. Gala in San Francisco, in conjunction with the annual RSA Conference. The criteria for the judging included: product line strength, customer base, customer service/support, research and development, and innovation.

“The SC Awards are the security industry’s most prestigious accolade, bestowed only to the most impressive companies in the security industry,” said Illena Armstrong, VP of editorial, SC Magazine. “Qualys can be very proud of this achievement and the many long hours of dedicated service that it represents.”

“We are honored to be named the Best Security Company by SC Magazine,” said Philippe Courtot, chairman and CEO, Qualys. “We share this honor with our customers and partners, who throughout the years, have been our guiding force to continue improving our existing cloud-based security and compliance solutions and design new innovative ones.”

Qualys also won the award for SC Award for Best Security Company in 2011. Read the full news release.

Qualys Launches New Free Top 4 Service

community-admin@qualys.com — Wed, 26 Feb 2014 18:32:30 +0000

In collaboration with the SANS Institute and the Council on CyberSecurity, Qualys today announced a new free service to help organizations implement the Top 4 Critical Security Controls to fend off attacks. The new service, available at https://qualys.com/top4, helps organizations quickly determine if the PCs in their environments have properly implemented the Top 4 Critical Security Controls, which the Council on CyberSecurity estimates can help companies prevent 85% of cyber-attacks.

Hide the remainder of this article

Qualys will unveil this free service with representatives from the SANS Institute and the Council on Cyber Security at the RSA Conference Booth #2821 today at 11:30 am PT.

"The Qualys Top 4 service is an extremely elegant and effective solution that helps both small and large businesses determine how resilient they are to today's advanced threats,” said Jonathan Trull, CISO for the State of Colorado. “This is exactly the type of public-private partnership our country needs to address the cyber attacks threatening our economy and critical infrastructure."

“This is the first time that a major security vendor has implemented a scoring and reporting algorithm that allows organizations to compare themselves with peers,” said Alan Paller, director of research for the SANS Institute. “Scoring like this is the only technique I have ever seen that causes organizations to implement the changes that lead to effective security.”

Read the full announcement.

The New Continuous Monitoring Service and the GA of QualysGuard WAF

community-admin@qualys.com — Tue, 25 Feb 2014 15:38:00 +0000

Today at RSA Conference, Qualys announced its new Continuous Monitoring service, empowering customers to continuously monitor mission-critical assets throughout their perimeter and immediately get alerted to anomalies that could expose them to cyber attacks. The service gives organizations the ability to proactively identify threats and unexpected changes in Internet-facing devices within their DMZ, cloud-based environments, and web applications before they are breached by attackers, bringing a new paradigm to vulnerability management.

Hide the remainder of this article

"At Ancestry.com, we have millions of visitors per month and many perimeter devices that we operate to secure against possible attacks,” said Deal Daly, VP of information technology for Ancestry.com. “The Qualys Continuous Monitoring service delivers real-time alerts of security and network configuration issues that we can proactively remediate.”

“The Cloud is expanding the boundaries of the corporate perimeter to include every browser, device or application that touches the Internet, leaving us more exposed to cyber-attacks than ever,” said Philippe Courtot, chairman and CEO for Qualys. “With our groundbreaking Continuous Monitoring service, companies can see their perimeter the way today’s hackers do, so that threats can be identified and addressed before they turn into breaches.”

Read the full release.

Qualys also announced today the general availability of its QualysGuard Web Application Firewall (WAF) service for web applications running in Amazon EC2 and on-premise. Deployed as a virtual image alongside web applications, the QualysGuard WAF can be set up and configured within minutes, enabling organizations to easily provide protection for their websites.

“Companies today are challenged with protecting their websites against attacks and complying with the Payment Card Industry (PCI) standard for transactions on their sites. But many organizations, especially smaller businesses, do not have the expertise or resources to effectively deploy WAFs,” said Charles Kolodgy, Research VP at IDC. “By introducing a lower cost, easy-to-use and deploy WAF cloud solution, Qualys can aid organizations in improving protection of their websites and web applications.”

The QualysGuard WAF cloud service provides rapid deployment of robust security for web applications with minimal cost of ownership, and it is constantly updated with new rules to keep up with application updates and newly emerging threats.

“Large organizations typically have thousands of web applications to protect, while smaller businesses don’t have the resources and IT staff to protect them,” said Philippe Courtot, chairman and CEO for Qualys. “The general availability our WAF service will offer customers the flexibility they need to protect their applications no matter where they reside and whether they have a few or thousands of them.”

Read the full announcement.

Risk I/O Partners with Qualys to Monitor Perimeter Security Risks

community-admin@qualys.com — Mon, 24 Feb 2014 19:16:22 +0000

Risk I/O announced today that it has partnered with Qualys to integrate QualysGuard Vulnerability Management (VM) into Risk I/O, providing perimeter vulnerability scanning for its customers. For businesses that need to understand the vulnerability and threat risks of their organization’s perimeter in real-time, the new integration enables them to sync their vulnerability data with Risk I/O’s threat processing engine, allowing organizations to gain visibility into their most likely vector for a breach.

Hide the remainder of this article

“The addition of perimeter scanning to Risk I/O enables organizations to scan their organization’s perimeter and receive a complete risk analysis in a one stop shop so they can take action quickly and lower their risk of a breach,” said Risk I/O Co-founder and CEO Ed Bellis. “We are pleased to partner with Qualys and integrate our solutions together giving customers a comprehensive solution that will ultimately help them become more secure and avoid data breaches.”

Read the full announcement.

AlgoSec Partners with Qualys

community-admin@qualys.com — Wed, 19 Feb 2014 18:30:18 +0000

AlgoSec, the market leader for Security Policy Management and Qualys today announced their partnership to enable businesses to manage security and risk across their organizations. With the partnership, the latest version of the AlgoSec Security Management Suite includes integration with QualysGuard Vulnerability Management (VM) to aggregate and score vulnerabilities associated with data center applications and their associated physical or virtual servers. This provides customers with unprecedented visibility into the risk levels of data center applications – even as they change - enabling IT and security teams to effectively communicate with business stakeholders so they can “own their risk” by quickly taking the actions needed to mitigate IT security issues.

Hide the remainder of this article

“Today’s cyber-attacks have a direct impact on the bottom line, yet organizations lack the visibility to manage risk from the business perspective,” said Yuval Baron, Chairman, President and CEO, AlgoSec. “By integrating QualysGuard VM with our solution, we are changing this paradigm to provide application-centric vulnerability management, allowing organizations to manage security in the context of business and at the speed of business.”

The AlgoSec Suite, with application-centric vulnerability management is available immediately. The new solution will be demonstrated at RSA at AlgoSec’s booth #427.

To learn more about this solution, join us for a webcast on March 12 at 1pm ET on Managing Risk and Vulnerabilities in a Business Context. Read the full news release.

PathDefender to Deliver QualysGuard Solutions as Part of McAfee Secure Services

community-admin@qualys.com — Tue, 04 Feb 2014 19:05:58 +0000

Qualys today announced a partnership with PathDefender, the operator of the McAfee Secure Services, to provide QualysGuard® security and compliance solutions as part of its McAfee Secure services to make the Internet safer for consumers and businesses.

Hide the remainder of this article

Founded by experts from Intel and McAfee, PathDefender provides security services for tens of thousands of website owners, protecting millions of consumers from malicious online activity. With this partnership, PathDefender will now integrate the QualysGuard Cloud Platform with the McAfee Secure Services delivering customers a full suite of solutions – including Vulnerability Management, Web Application Scanning, Malware Detection, and PCI Compliance – to protect their websites from cyber attacks.

“At PathDefender, we partner with leading security companies in our mission to keep the Internet safe,” said Timothy Dowling, CEO of PathDefender. “We are pleased to add Qualys’ industry leading cloud-based IT security and compliance solutions to the McAfee Secure Services to help our customers protect their websites from the latest threats and achieve PCI compliance, at a price they can afford and with premium customer support.”

Read the full announcement.

Accuvant Partners with Qualys for Continuous Vulnerability Management Solution

community-admin@qualys.com — Mon, 03 Feb 2014 19:25:23 +0000

Accuvant, the Authoritative Source for information security, today announced its partnership with Qualys to launch the Vulnerability Management Solution (VMS), the latest innovative offering in its managed services portfolio.

VMS combines elements of Qualys’industry-leading QualysGuard Cloud Platform with Accuvant’s advanced security expertise and methodologies, providing enterprise-level organizations with a continuous vulnerability scanning and validation service. It enables enterprise organizations to outsource a critical function while ensuring protection so they can focus on other important aspects of their businesses.

“Accuvant has built an impressive portfolio of managed security and consulting services,” said Philippe Courtot, chairman and CEO of Qualys. “QualysGuard augments Accuvant’s offerings with an advanced vulnerability management platform, helping clients secure and protect IT assets on a continuous basis.”

Read the full announcement.