1089 matches found
April 2019 Patch Tuesday – 74 Vulns, 16 Critical, 2 Actively Attacked, 1 PoC Exploit, Adobe Vulns
This month's Patch Tuesday addresses 74 vulnerabilities, with 16 labeled as Critical. Eight of the Critical vulns are for scripting engines and browser components, impacting Microsoft browsers and Office, along with another 5 Critical vulns in MSXML. Two Critical remote code execution RCE...
Qualys Policy Compliance Notification: Policy Library Update
Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS an...
Qualys Cloud Platform (VM, PC) 8.18.1 New Features
The patch release of the Qualys Cloud Platform, version 8.18.1.0-1, includes new support for HashiCorp Vaults as well as for Virtual Scanner Appliance for OCI and OCI-Classic Platforms. Feature Highlights Support for HashiCorp Vaults – This release adds a new vault type that can be used to retrie...
Qualys Cloud Platform (VM, PC) 8.18 New Features
This new release of the Qualys Cloud Platform VM, PC, version 8.18 contains several new features and improvements in Qualys Vulnerability Management and Policy Compliance, which include CertView Vulnerability Scan for EC2 Assets, support for new authentication types to filter vulnerabilities,...
Free Training: New Certified Learning Paths
The Qualys Training team is eager to share all of the recent additions to our free training program, as well as provide insight into what is coming in 2019. You can expect to see regular updates as we continue to improve our training offerings! It is our mission to help Qualys customers and...
PCI & SSL/Early TLS QIDs 38601, 42366
Two QIDs will be marked as PCI Fail on May 1, 2019 as required by ASV Program Guide: QID 38601 “SSL/TLS Use of Weak RC4 Cipher” QID 42366 “SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability BEAST” Last revision of ASV Program Guide ver. 3.1 has the following for SSL/TLS component: “...
Jenkins Plugin v2 for Qualys WAS Now Available
We are pleased to announce that the Qualys WAS Jenkins plugin v2 is now available. This version of the plugin introduces new features to facilitate automation, and a more user-friendly design. What's New? Whereas the previous release of the plugin supported only Jenkins "pipeline" projects, the n...
March 2019 Patch Tuesday – 65 Vulns, 18 Critical, RCEs in DHCP Client, Adobe Vulns
This month's Patch Tuesday addresses 65 vulnerabilities, with 18 of them labeled as Critical. Thirteen of the Critical vulns are for scripting engines and browser components, impacting Microsoft browsers and Office. Three remote code execution RCE vulnerabilities are patched in the Windows DHCP...
Qualys Policy Compliance Notification: Policy Library Update
Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS an...
Qualys Cloud Platform 2.37 New Features
This release of the Qualys Cloud Platform version 2.37 includes updates and new features for Security Assessment Questionnaire and Web Application Scanning, highlights as follows. Security Assessment Questionnaire Manager access to all active campaigns – Questionnaire Manager role now has access ...
Know What’s on Your Network at All Times with Qualys Asset Inventory
Qualys has just launched a global IT asset inventory solution that offers full visibility across even the most hybrid, complex and distributed IT environments, addressing a challenge many security and IT teams face today. When IT directors and CISOs look at their digitally transformed networks,...
February 2019 Patch Tuesday – 74 Vulns, 20 Critical, Exchange 0-day, Adobe Vulns
This month's Patch Tuesday is very large, with 74 vulns being addressed of which 20 are labeled as critical. Fifteen of these critical vulns are in the Scripting Engine and browsers, with the remainder being GDI+, SharePoint, and DHCP. Microsoft also issued an Advisory for an Exchange 0-day, alon...
RunC Container Breakout Vulnerability
Despite the huge advantages that containers offer in application portability, acceleration of CI/CD pipelines and agility of deployment environments, the biggest concern has always been about isolation. Since all the containers running on a host share the same underlying kernel, any malicious cod...
Assess Vulnerabilities, Misconfigurations in AWS Golden AMI Pipelines
Today we’re starting a blog series focused on how to integrate Qualys solutions into DevSecOps for securing cloud infrastructures. In this initial post, we’ll discuss the importance of assessing vulnerabilities and misconfigurations on AWS pipelines. When developing golden Amazon Machine Images...
Qualys Policy Compliance Notification: Policy Library Update
Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS an...
Qualys Cloud Platform 2.36 New Features
This release of the Qualys Cloud Platform version 2.36 includes updates and new features for AssetView Cloud Assets and Cloud Agents and Web Application Scanning, highlights as follows. AssetView Rules for Cloud Assets and Cloud Agents Rule-Based Method to Purge/Uninstall Cloud Assets and Cloud...
Policy Compliance Adds UDC Support for Cloud Agent
Qualys is extending the Cloud Agent capabilities for users of the Policy Compliance PC application by letting them define controls. Until now, the Cloud Agent could only assess Qualys PC’s “out of the box” controls. By adding support for user defined controls UDC, Qualys PC users now can use Clou...
Qualys Cloud Platform (VM, PC) 8.17 New Features
Qualys Cloud Platform VM, PC version 8.17 contains various feature enhancements in Qualys Vulnerability Management and Qualys Policy Compliance. In addition, this release also lowers the time required before pausing or canceling an ongoing scan. Previously, scheduled scans could be cancelled or...
mod_ssl Bug and SSL Labs Renegotiation Test
Update February 20, 2019: To give more time to fix, we will re-enable the SSL Labs Renegotiation Test on March 11, 2019 two additional weeks. The Apache Security Team fixed a bug which triggers whenever a client attempts renegotiation with Apache HTTP Server 2.4.37 and OpenSSL 1.1.1. This bug...
Qualys Cloud Platform (VM, PC) 8.16 New Features
This new release of the Qualys Cloud Platform VM, PC, version 8.16, contains several new improvements in Qualys Vulnerability Management and Qualys Policy Compliance, which includes new password security option, increased limit for virtual hosts that can be added to a subscription, added support...
Qualys Policy Compliance Notification: Policy Library Update
Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS an...
Detecting Insecure Cookies with Qualys Web Application Scanning
Cookies are ubiquitous in today's modern web applications. If an attacker can acquire a user's session cookie by exploiting a cross-site scripting XSS vulnerability, by sniffing an unencrypted HTTP connection, or by some other means, then they can potentially hijack a user's valid session...
Container Security Becomes a Priority for Enterprises
Among the IT innovations that businesses are using to digitally transform operations, containers might be the most disruptive and revolutionary. “They’re a real game changer,” Qualys Chief Product Officer Sumedh Thakar said at QSC 2018 in Las Vegas. DevOps teams have embraced containers because...
January 2019 Patch Tuesday – 47 Vulns, 7 Critical, Adobe Vulns
This month's Patch Tuesday is medium in size, with 47 vulns covered and only 7 labeled as Critical. Twenty-six of the vulns apply to Windows Servers and Workstation operating systems. Two of the Criticals apply to Hyper-V and could lead to RCE on the host system. Microsoft also issued and...
New Frontiers In Cryptojacking
Tejas Girme & Rishikesh Bhide of Qualys Malware Research Labs present “New Frontiers in Cryptojacking” at the 21st Anti-Virus Asia Researchers International Conference AVAR 2018 in Goa, India. Cryptojacking attacks are evolving over time to better evade detection by both end users and protection...
December 2018 Patch Tuesday – 39 Vulns, Workstation Patches, Adobe Vulns
This month’s Patch Tuesday addresses 39 vulnerabilities, with 9 of them labeled as Critical. Out of the Criticals, most are browser-related, with the rest including Windows, and .net Framework. A Privilege Escalation vulnerability exists in Windows kernel which has been exploited in wild. Adobe...
Global IT Asset Inventory: The Foundation for Security and Compliance
Pablo Quiroga, Qualys’ Director of Product Management for IT Asset Management, talks about the new Asset Inventory solution When IT directors and CISOs look at their digitally transformed networks, they encounter many shadows that their legacy enterprise software tools can’t illuminate. These bli...
Capital One: Building Security Into DevOps
Capital One prides itself on staying at the forefront of IT innovations to give its business a competitive edge. For example, it adopted Agile software-development methodologies years ago, and uses artificial intelligence and machine learning. It was the first bank to implement a mobile wallet wi...
Infosec Teams Race To Secure DevOps
With DevOps adoption spreading, infosec teams are scrambling to address the new security challenges stemming from DevOps’ accelerated code development and app deployment. But while IT organizations have made notable progress adapting security to their DevOps processes, work remains to be done...
Qualys Cloud Platform 2.35 New Features
This release of the Qualys Cloud Platform version 2.35 includes updates and new features for AssetView, Cloud Agent, Security Assessment Questionnaire, and Web Application Scanning, highlights as follows. Note: this post has been edited after publishing to remove the Rule-Based Method to...
QSC18 Takeaway: Complex Environments Demand Visibility and Real-Time Security
If there were two important takeaways from this year's Qualys Security Conference year they would be how today’s complex hybrid environments are demanding security teams find ways to increase visibility into the state of their security posture and be able to quickly mitigate new risks as they...
SSL Labs Grade Change for TLS 1.0 and TLS 1.1 Protocols
Update 11/30/18: Now live on ssllabs.com: In Configuration-Protocols section “TLS 1.1” text color will be changed to Orange by end of November 2018 TLS 1.0 and TLS 1.1 protocols will be removed from browsers at the beginning of 2020. As there are no fixes or patches that can adequately fix SSL or...
QSC18: API Security, Enabling Innovation Without Enabling Attacks and Data Breaches
Without APIs, it would be near impossible to see enterprises being able to digitally transform themselves. After all, APIs are the connective-tissue between applications and systems and they make the management, automation and consumption of technology possible at scale. APIs are what enable...
QSC18 Day 1 Takeaway: Continuous Transformation Demands Continuous Security
The first day of Qualys Security Conference 2018 was a big one. Both CEO Philippe Courtot and Qualys chief product officer Sumedh Thakar detailed the challenges faced by many of today’s enterprises when it comes to the growth of cloud and the complexity of their hybrid environments. And they shar...
QSC18: The Need for Security Visibility in the Age of Digital Transformation
Enterprises are moving full steam ahead when it comes to their digital transformation efforts. They’ve aggressively adopted cloud infrastructure and other cloud services, IoT, application containers, serverless functionality, and other technologies that are helping their organization to drive...
November 2018 Patch Tuesday – 62 Vulns, TFTP Server RCE, Adobe PoC
This month's Patch Tuesday addresses 62 vulnerabilities, with 12 of them labeled as Critical. Out of the Criticals, 8 are for the Chakra Scripting Engine used by Microsoft Edge. A Remote Code Execution vulnerability in Windows Deployment Services' TFTP server is also addressed in this release...
Welcome to Qualys Security Conference 2018
The rise of cloud computing coupled with DevOps is forcing enterprises to rewrite their cybersecurity playbook, and part of that book will be written this week at Qualys Security Conference 2018 in Las Vegas. Today, the dual cloud and DevOps mega-trends are helping companies to digitally transfor...
Bluetooth Chip Bugs Affect Enterprise Wi-Fi, as Hackers Exploit Cisco 0-Day
In this latest roundup of cyber security news, we look at serious Bluetooth chip-level bugs, a zero-day vulnerability on Cisco software, a raft of Apple security fixes, and a massive customer data breach at Cathay Pacific. Enterprise Wi-Fi access points vulnerable to Bluetooth bug A pair of...
Don’t Overlook Qualys Malware Detection
Cyber criminals are constantly looking for opportunities to infect legitimate websites with malware. They can use infected websites to cryptomine, steal data, hijack systems, deface pages, and do other damage to harm a company’s reputation and impact their users. This can result in lost revenue,...
Threat Hunting: Adoption, Expertise Grow, but Work Remains
Threat hunting, an often misunderstood but powerful security practice, is gaining traction, as more organizations reap benefits from it and get better at it. However, there is still a lot of room for adoption to increase and for practices to improve. Those were key findings from the SANS...
Apple, Amazon in a Tussle with Bloomberg over Spy Chips Report
In our latest security news digest, we delve into the brouhaha over Chinese spy chips, check out the latest in Facebook's investigation of its recent hack, and look at Google's controversial decision to delay disclosing a potential data breach. Bloomberg's spy chip report stuns tech industry, the...
Qualys Broadens Security Offerings for Azure
Qualys is expanding its security and compliance capabilities for Microsoft Azure, by adding protection for the on-premises Azure Stack and extending capabilities for public cloud deployments. By using Qualys’ platform to defend hybrid IT environments, organizations get a unified view of their...
PCI & QID 38598 “Deprecated Public Key Length”
QID 38598 “Deprecated Public Key Length” will be marked as PCI Fail as of November 1, 2018 in accordance with its CVSS score. Under PCI DSS merchants and financial institutions are required to protect their clients' sensitive data with strong cryptography. Strong cryptography is defined in the...
October 2018 Patch Tuesday – 49 Vulns, Critical browser patches, Hyper-V, Adobe vulns
In this month’s Patch Tuesday release there are 49 vulnerabilities patched with 12 Criticals. Out of the criticals, over half are browser-related, with the rest including Hyper-V and MSXML Parser. Microsoft Exchange covers CVE-2010-3190 which was not identified as in-scope product when originally...
Stronger Security with Global IT Asset Inventory
On a Friday afternoon before a long holiday weekend, a company’s security operations center receives a potentially serious alert: It appears that a domain controller has been tampered with. After examining event logs and overlaying network traffic, a SOC analyst confirms that a suspicious system...
Hackers Exploit Facebook Bug, As Twitter DMs (Maybe) Got Misrouted
In our latest security news digest, we check out the Facebook hack heard 'round the world, a Twitter bug that rattled users but may not amount to much, and a pair of serious Linux kernel vulnerabilities. Facebook scrambles to investigate major breach affecting tens of millions of users The cyber...
Qualys Cloud Platform 2.34.1 New Features
This release of the Qualys Cloud Platform version 2.34.1 includes updates and new features for Cloud Agent & AWS EC2 Connector, AssetView, CloudView, and Security Assessment Questionnaire, highlights as follows. Cloud Agent & AWS EC2 Connector Automatic Merge of Cloud Agents running in Amazon Web...
Qualys Cloud Platform 8.15.2 New Features
Patch release of Qualys Cloud Platform, version 8.15.2, includes new support for Apache instance auto-discovery in Qualys Policy Compliance. Policy Compliance Apache Instance Auto-Discovery – This new feature in Qualys PC enables automatic discovery of Apache during compliance scans. Once one or...
Qualys Helps Consultants, MSPs Deliver World-Class Security Services To Mid-Size Customers
With the newly available Qualys Consulting Edition, consultants and MSPs can now individually manage their mid-market client networks, keeping data separate and organized. This lets them offer their clients tailored, personalized services, with valuable insights and recommendations for threat...
September 2018 Patch Tuesday – 61 Vulns, FragmentSmack, Hyper-V Escape
In this month’s Patch Tuesday release there are 61 vulnerabilities patched with 17 Criticals. Out of the criticals, most are browser-related, with the rest including Windows, Hyper-V, and .net Framework. A vulnerability CVE-2018-8475 in Windows' image parsing has been publicly disclosed, in...