InternetNews.com reports on the PCI Security Standards Council latest version 1.2 of PCI Data Security Standards, or PCI-DSS available for merchant use beginning Oct. 1. The Council says version 1.2 will "not introduce any major new requirements" and will only "introduce clarifying items." The clarifications include:

• Addition of monitoring capabilities for removable electronic media, e-mail, Web, laptops It also adds monitoring capabilities for removable electronic media, e-mail, Web, laptops and PDAS.
• Wired Equivalent Privacy, or WEP wireless security protocol dropped in favor of the newer IEEE 802.11x standard.
• Tightening of security requirements for employees of companies the PCI-DSS governs.
• Security policy requiring employees to acknowledge that they have read and understood their security policy and procedures at least once a year.
• New wireless networks implementations cannot use WEP implementations after March 31, 2009 and current implementations must get rid of WEP by June 30, 2010.

Sumedh Thakar, PCI solutions manager at Qualys, told InternetNews.com he welcomes these changes because a vulnerability scan is more doable and less expensive than going through your source code.  Instead of having to go through possibly millions of lines of source code, companies can run a scan then focus on detected vulnerabilities in the code and remedy those. Another change that Thakar likes is the Council's formally ruling out the use of WEP, which has, since 2001, been known to be easy to crack. "The standard has always recommended that WEP not be used, but now they're putting in a timeline," added Sumedh.

Read Article

Qualys has implemented a new log-in page for QualysGuard. This new log-in page provides information about product enhancements, changes and updates as well as share information about new tools, tips, and techniques for using QualysGuard Vulnerability Management and Policy Compliance features.

Log-on

Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 11 new vulnerabilities present in Microsoft Windows. Customers can immediately audit their networks for these and other recent vulnerabilities by accessing their QualysGuard subscription.

Microsoft released on August 12, 11 security patches to fix newly discovered flaws in Microsoft Windows. The Qualys Vulnerability R&D Lab has released the following checks for these new vulnerabilities, including:

• Microsoft Access Snapshot Viewer ActiveX Control Vulnerability
• Microsoft Word Could Allow Remote Code Execution
• Microsoft Excel Could Allow Remote Code Execution
• Microsoft Office Filters Could Allow Remote Code Execution
• Microsoft Internet Explorer Cumulative Security Update
• More...
  

Read Alert

Related Coverage:
Microsoft Fixes IE, Office in Big Month of Security Updates, by Elizabeth Montalbano, IDG News Service
Microsoft Issues Massive Security Update for Windows, by Greg Keizer, Computerworld

eWeek has posted the latest markeshare predications from Gartner. Findings point to SaaS marketshare which is expected to grow in several security segments over the next five years, notably in areas such as remote vulnerability assessment, which the firm predicted will jump from 10 percent to 30 percent by 2013.

"Messaging security is the big area now," said John Pescatore, an analyst with Gartner. "I think Web security -- both protecting Web servers, and also protecting users and browsers -- will grow fast. Vulnerability assessment has already started to grow as a service, so has DDoS prevention."

Vulnerability assessments provided by vendors such as Qualys are a good fit as a cloud-based service, as they can be done efficiently from the cloud and typically don't require any deep knowledge of business-specific aspects, like what an application actually does, Pescatore contended.

Click here to read full eWeek story 

Location: Caesars Palace - Absolut Suite, Roman Tower #1361
When: Tuesday, August 5th (7-11pm)

Qualys is inviting its customers & partners attending Black Hat 2008 to mix and mingle in the intriguingly hip setting of the infamous Absolut® Suite at Caesars Palace for a night of drinks and entertainment.

RSVP on-line to gain access to this illustrious occasion and register to WIN a Wii or a bottle of Absolut flavor. Click here to learn about the famous Absolut suite. 

Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 4 new vulnerabilities present in Microsoft Windows. Yesterday's Microsoft Patch Tuesday marks a first - a synchronized industry wide effort for the patching of a common vulnerability. Customers can immediately audit their networks for these and other recent vulnerabilities by accessing their QualysGuard subscription.

Microsoft released in July, 4 security patches to fix newly discovered flaws in Microsoft Windows. The Qualys Vulnerability R&D Lab has released the following checks for these new vulnerabilities, including:

• DNS Could Allow Spoofing
• Microsoft Windows Explorer Remote Code Execution Vulnerability
• Microsoft Outlook Web Access for Exchange Server Elevation of Privilege
• Microsoft SQL Server Could Allow Elevation of Privilege

Read Alert

Coming Soon -- the next update on Qualys® Vulnerability R&D Lab takes place August 12th.

Alex Pinchev has become the latest member to join the Qualys board of directors. Pinchev who is Red Hat's president of global sales, services and field marketing had this to say -- "Qualys has demonstrated significant traction and industry leadership through its successful SaaS delivery model and most recently with its integrated QualysGuard® Security and Compliance Suite. I look forward to working with the Qualys executive team and its board members to help drive on-demand security innovation."

Read More

Doug Spaw, network engineer for VSR Financial Services, wanted to achieve effective and efficient IT security and risk mitigation while ensuring regulatory compliance for the organizations 80,000+ clients and 300+ registered users.  

"We selected QualysGuard because of the simplicity of its SaaS model. You set it up, and it just works," stated Doug.  "We rely on QualysGuard Express to scan more than 128 IP addresses, which includes our internal servers and systems as well as all of the company's Internet-facing devices. The reports from these assessments are very detailed, which helps us to resolve any issues we find quickly."

QualysGuard will also keep VSR Financial Services prepared for all possible future regulations that will affect the broker/dealer industry. To read more about how Doug addresses threats without the substantial cost, resource demands, and deployment hassles associated with traditional software scanners, visit:
http://www.qualys.com/docs/customers/casestud/VSR.pdf

Information Security reporter, Neil Roiter speaks with the director of the information security architecture group, Victor Hsiang of TransUnion.  Victor shares how the Qualys Software-as-a-Service (SaaS) model has enabled TransUnion, a global consumer credit reporting bureau, to streamline and easily extend its vulnerability management program to many locations.

"The product approach requires individual purchases of the license at each location, purchasing a platform to load licenses on and administration of that platform, then the care and feeding of it," says Victor Hsiang, director of TransUnion's information security architecture group. "With the service approach, from a corporate perspective, we can pick up the cost of Qualys and absorb the business units into the whole process."

Hsiang will beta test the Policy Compliance module at TransUnion, and expects it to integrate with his group's program of using the vulnerability management service and a central database to certify systems through a cycle of vulnerability scanning, ticketing and remediation.

"We won't have to reinvent the wheel; the compliance module fits into the architecture we've developed for tracking and fixing vulnerabilities," says Hsiang.

Click here to read full interview.

QualysGuard Policy Compliance extends QualysGuard global scanning capabilities to collect OS Configuration and Application Access controls from hosts and other assets within the enterprise and maps this information into polices to fix and document compliance with regulations and mandates.

QualysGuard Policy Compliance Benefits:

• Combined agent-less solution for vulnerability and configuration scanning
• Rapid global deployment with the QualysGuard Software-as-a-Service (SaaS) delivery model requiring no software to install or maintain
• Centralized approach to policy definition and management
• Customizable auditing capabilities for multiple regulatory initiatives and mandates including SOX, HIPAA, GLBA, Basel II and others
• Comprehensive instructions and audit trails to review and prove compliance with auditors

For more details, please visit:
http://www.qualys.com/solutions/policy_compliance/

QualysGuard 6.0 enables security managers and key organization executives, including business line managers, members of the board and auditors, to get an on demand view of IT security and compliance within the enterprise. QualysGuard 6.0 offers new metrics reporting supported by scorecards and secure, collaborative report distribution workflows which help operations and IT staff to be efficient and communicate effectively with auditors and executive management.

The new Self-Assessment Questionnaire (SAQ) Version 1.1, issued by the Payment Card Industry (PCI) Security Standards Council (PCI SSC) is now available within QualysGuard PCI.  Implementation of the new SAQ allows customers to complete all versions of the questionnaire online and e-file it securely with their acquiring banks.  The SAQ is available at https://www.pcisecuritystandards.org/tech/saq.htm and consists of four unique forms to meet various business scenarios.

For use primarily by Level 2, 3 and 4 merchants (and some smaller service providers), as defined by the major credit-card brands -- Visa Inc., MasterCard Worldwide, Discover Financial Services, American Express and JCB International -- to validate compliance with the PCI Data Security Standards (PCI DSS). The PCI SSC updated SAQ version 1.0 to better align with PCI DSS version 1.1 and created four variants to ensure merchants only answer questions relevant to their environment. Each of the four variants, labeled A, B, C and D have qualifying questions used to determine which of the four questionnaires a merchant is required to complete.

QualysGuard fully supports all four types of questionnaires, labeled A-D, including the ability to enter online comments for compensating controls, provide remediation action plan for non-compliant sections, complete attestation of the assessment and electronically sign the SAQ online. More details on the QualysGuard PCI implementation or SAQ 1.1 are available at: http://www.qualys.com/docs/QG_PCI_GSG.pdf within the PCI Questionnaires chapter.

Just released - "Dummies Guide to Vulnerability Management" in conjunction with publisher John Wiley & Sons. This VM handbook is an easy-to-read and informative guide designed to educate and explain the essentials of vulnerability management, educating readers on selecting the right tools to manage vulnerabilities automatically ensuring that their networks are safe from attacks. In five succinct parts, the book leads readers through a basic understanding of vulnerability management and provides a guide to essential best practices, the various options available, the pros and cons of automated vulnerability management as well as a valuable 10-point checklist for removing existing vulnerabilities in the network. 

To download a free copy, visit http://www.qualys.com/dummies.

Cisco's Doug Dexter, Michael Mucha of Stanford Hospital and Gartner analyst Mike Nicolett in an informative program focused on Security Risk and Compliance Best Practices addressing the vulnerability management lifecycle and technology, security configuration assessments.

See and hear Doug and Michael's approach with insight from Mike Nicolett of Gartner for implementing vulnerability management and the results it has produced for their security organizations. 

To view video, go to: http://www.qualys.com/gartnervideo

"The biggest thing we focus on with all of this is control of the data," says Michael Mucha, chief information security officer for Stanford Hospital in Palo Alto, Calif., which uses several clinical applications that are delivered as a service, including transcription, and radiology and analysis systems. Given that health care is by far the most regulated industry he has worked in, Mucha has created a standardized checklist for his technical assessment of any application delivered via the SaaS model. Among the most critical of those items include whether or not the service provider complies with SAS 112 audit requirements (which applies to nonprofits), how it documents its procedures for handling a security breach, and how it handles requests for changes and customized features, Mucha says.

Even more important will be the simple policies that a SaaS provider uses among its staff to protect your data. "We have complete access to the data, and we are the only ones with control of the authentication," Mucha says. "The point is that you need a consistent approach to all these situations."

"SaaS opened our eyes to a new way of doing things. With QualysGuard, we didn't need to install any software or infrastructure. QualysGuard runs on Qualys' own secure global infrastructure, so we run security audits on-demand over the Internet with a standard Web browser. The application automatically finds all vulnerabilities on our local and remote network, provides directions to our IT staff for remediation, and submits PCI audit reports to our acquiring banks."

Mike Vizard of eWeek interviews Paul Simmonds of the Jericho Forum, and former CISO at chemical manufacturer ICI.

The case for managed security services is being made every day. Given the uncertain state of the economy, many companies are looking to security as a service to drive down costs and boost return on investment of security IT. In addition, according to Paul Simmonds, most IT managers don't have the time or the staff, and users don't exercise enough responsibility, to make managing security in-house an efficient and safe option. Managed security services may also help prevent spammers or Internet criminal organizations from compromising a company's desktops and servers.

Click here to listen to podcast.

Eric Green and Philippe Courtot discuss Software-as-a-Services (SaaS) and the future of the software industry in general.

Click here to listen to interview.

At this years 6th Annual Qualys SaaS Security Conference, top security professionals from around the world joined together May 15 & 16, 2008 at the Palace Hotel in San Francisco, California for an information packed 2-day event.   

CSOs, network and security professionals were introduced to executives from Gartner, Cisco, CNET, Med Immune and Sodexo who provided insight into their use of Qualys' solutions and shared best practices for deploying vulnerability management offerings, integrating with managed services platforms and ensuring regulatory and operational compliance.

Qualys CEO Philippe Courtot connected with Qualys customers to listen to their views while taking feedback on the critical issues impacting their security organizations today. He stated: "QSC was created specifically to engage directly with our customers.  It allows us an opportunity to hear customer insight that could shape our future roadmap as we build the next generation of security Software-as-a-Service (SaaS) solutions."

New Software-as-a-Service (SaaS) Suite Addresses the Convergence of IT Security and Policy Compliance to Reduce Complexity for Auditors, Security Professionals and Executive Management. 

Qualys recently introduced the QualysGuard® Security and Compliance Suite, a suite of SaaS products aimed at helping global organizations to better manage the operational challenges and costs associated with securing their IT infrastructure, and complying with the ever increasing set of regulations.

Read More

The QualysGuard on demand platform was voted Best Audit and Vulnerability Solution for the second consecutive year by SC Magazine. The SC Magazine Reader's Trust Awards recognize the best products, services and security teams in the industry over the past year as decided by a panel of judges and readers of SC Magazine. The Best Audit and Vulnerability Solution category included a number of vendors in the vulnerability assessment and patch management space, with top honors going to Qualys' for its flagship Software-as-a-Service (SaaS) QualysGuard solution, the industry's first on demand platform for security risk and compliance management.

Read More

For the second consecutive year, QualysGuard® Enterprise was voted the 2008 Readers' Choice Gold Award winner, by readers of Information Security™ magazine and SearchSecurity.com™ in the vulnerability management category. The award honors come on the heels of Qualys' release of the first integrated Software-as-a-Service (SaaS) solution for security and compliance.

Read More

Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 4 new vulnerabilities present in Microsoft Windows. Customers can immediately audit their networks for these and other recent vulnerabilities by accessing their QualysGuard subscription.

Microsoft released in June, seven security patches to fix newly discovered flaws in Microsoft Windows. The Qualys Vulnerability R&D Lab has released the following checks for these new vulnerabilities, including:

• Microsoft Windows Bluetooth Stack Could Allow Remote Code Execution
• Cumulative Security Update for Internet Explorer
• Cumulative Security Update of ActiveX Kill Bits
  
• Vulnerabilities in DirectX Could Allow Remote Code Execution
• Vulnerability in WINS Could Allow Elevation of Privilege
• More...

Read Alert

Coming Soon -- the next update on Qualys® Vulnerability R&D Lab takes place July 8th.

Listen to Podast: http://www.eset.com/podcasts/ESET050208_SQL_P2.mp3

Whether you want to maximize your skills, productivity or security knowledge, Qualys' complimentary training and certification programs can help you achieve your goals. Qualys offers a wide variety of courses -- both online and live workshops. To register for an event in your area, and the complete list of upcoming events, click here.