Recently in Product News Category

Qualys and Imperva today announced the integration of Qualys' QualysGuard® Web Application Scanning with Imperva's SecureSphere Web Application Firewall (WAF). This combination gives enterprises an ability to deploy a comprehensive security strategy that delivers powerful protection for business-critical Web applications. Savvis will provide the Qualys-Imperva integrated solution as part of its hosting and Savvis Symphony cloud infrastructure solutions for enterprises. More info.

Click here for full news release.

Trend Micro today expanded its security and compliance coverage through the announcement of a strategic relationship with Qualys, a recognized leader in on demand IT security risk and compliance management solutions. Under the agreement, Trend Micro will repackage and sell the QualysGuard IT Security and Compliance Suite with its Trend Micro™ Enterprise Security compliance offerings to provide a more comprehensive solution for customers worldwide.

Click here to see the full news release.

Qualys has earned the highest rating - "strong positive" - in Gartner's MarketScope for Vulnerability Assessment (VA).

Click here to read the full report.

Today Qualys announced the first certified cloud-based computing solution for FDCC compliance. The new QualysGuard FDCC module, validated by the National Institute of Standards and Technology (NIST) as conforming to the Security Content Automation Protocol (SCAP) and its component standards, provides a centralized, integrated solution leveraging the QualysGuard Software-as-a-Service (SaaS) architecture helping federal agencies validate the configuration of their desktops according to FDCC regulations.

Click here to view the news release.

A new release of QualysGuard PCI version 4.3 is now available in production to help customers prioritize and track PCI compliance efforts, including support for the DSS Prioritized Approach. PCI DSS requires businesses to complete a PCI Self Assessment Questionnaire every 12 months. When completing or editing an SAQ, users now have the option to use the Prioritized Approach, helping merchants identify and focus on areas of high risk as early as possible so users can prioritize compliance efforts.

New features in this release also include:

• SAQ Wizard. QualysGuard PCI now provides an SAQ Wizard to help customers identify which questionnaire to complete, making it quick and painless to fill out and auto submit the questionnaire to acquiring banks.
  
• Ability to Track Progress. Users can prioritize and track their SAQ progress, with the ability to see the percentage of completion per requirement, as well as percentage of compliance per milestone.

For more info on QualysGuard PCI, please http://www.qualys.com/solutions/pci_compliance

Network discovery capabilities and the introduction of PCI Connect features highlight the new release.

QualysGuard PCI 4.0 offers merchants and acquirers the following new features:

• Discovery of live devices to help merchants define systems that are in scope for PCI.
• Automated referral program where merchants connect directly with partners offering PCI DSS solutions to validate PCI requirements within the Self Assessment Questionnaire (SAQ).
• Merchants can upload evidence to support SAQ validation in multiple formats including documents and images. This may include reports from log management systems, firewall or other device configuration settings, security policies and procedures, and anything else the merchant wishes to attach to the submission. The merchant can also chose whether or not they want to share that detail with the acquirer.
• PCI Connect technology partners can provide XML uploads from their solutions for SAQ validation. Such XML data includes a summary of compliance posture for any of the requirements in the SAQ. Technology partners that joined PCI Connect include AirTight Networks, Core Security, Imperva, RedSeal Systems, Splunk and Third Brigade.
• Acquiring banks have additional security controls of merchants when validating merchants for compliance. This assists acquires to evaluate whether merchants have met PCI requirements and whether sufficient evidence has been submitted for validation.
  

"QualysGuard PCI 4.0 helps merchants of all sizes better scope their PCI efforts upfront and provides the necessary workflows to connect them with leading PCI DSS solutions in order to complete the SAQ and furnish evidence of compliance. It also provides acquiring banks with a centralized view of the security posture of their merchants and therefore better assessing their risk profile," said Philippe Courtot, CEO and Chairman of Qualys.

Read More
QualysGuard PCI Datasheet

For the third year in a row, Qualys Inc. has come out on top in the Vulnerability Management category. QualysGuard Vulnerability Management is the company's automated vulnerability management and network auditing product. Readers were most pleased with its ease of installation, the accuracy in which it identifies vulnerabilities, as well as the breadth of applications and devices covered.

Read More

Modulo, a Brazilian company with international operations specializing in solutions for Governance, Risk and Compliance (GRC), has partnered with Qualys to integrate Modulo Risk Manager with QualysGuard. The combined offering provides global companies with a comprehensive security risk and compliance management solution.

The Modulo Risk Manager software automatically receives vulnerabilities and misconfiguration data collected through QualysGuard scans. This data is aggregated in the Modulo Risk Manager allowing users to easily view the data, providing better tracking, risk assessment and compliance documentation.

Through the Qualys and Modulo integration, companies can:

• Identify and remediate identified vulnerabilities improving security and compliance posture
• Manage and reduce business risk automatically on business assets
• Automate collection of security and compliance data
• Document and create reports easily and automatically for laws, regulations and internal policies

"Through this partnership with Qualys, our customers will be able to expand their knowledge of vulnerability and compliance issues within their networks and use this information in their compliance reports," said Fernando Nery, co-founder of Modulo.

Read More

Qualys and Archer Technologies have partnered to make QualysGuard® vulnerability management and compliance data available to Archer's Fortune 1000 clients. The integration of QualysGuard with Archer's GRC platform--the Archer SmartSuite Framework--allows clients to automatically import comprehensive scan information from global assets into the Archer Threat Management solution.

Through of the Qualys and Archer integration, companies can:

• Report on vulnerabilities and mis-configurations identified on their assets in one single view.
• Assign ownership to issues, and track remediation efforts or accept the associated business risk.
• Deliver real-time risk information via Archer's robust reporting capabilities, allowing management to easily view the severity of vulnerabilities and the affected assets.

"Through our partnership with Qualys, Archer customers will be able to expand their view of vulnerability and compliance issues, making it possible to proactively address potential and existing organizational compromises and expedite compliance reporting," said Julian Waits, vice president of business development for Archer Technologies.

For more information on the QualysGuard integration package for the Archer SmartSuite Framework, visit:
https://exchange.archer-tech.com/offering/1951.aspx

Read More

Sourcefire, a Qualys Solution Partner, has integrated the Sourcefire 3D System with QualysGuard. The combination of Sourcefire and Qualys enables organizations to further reduce the number of actionable network threats by leveraging Sourcefire Defense Center to correlate threats detected by Sourcefire's intrusion prevention system against host vulnerabilities identified by QualysGuard. With Sourcefire and Qualys working in tandem, the number of actionable network threats detected by the Sourcefire IPS can be vastly reduced, leading to increased security and lower total cost of ownership (TCO).

"Through our innovative partnership with Sourcefire, customers are able to gain increased insight into the relevancy of attacks, so that they can focus on those threats that matter most," said Wolfgang Kandek, CTO at Qualys.

This integration provides customers with the ability to import QualysGuard scan data into the Sourcefire RNA (Real-time Network Awareness) host database, combining real-time network discovery information with active vulnerability scan data. This enables users to quickly determine if a host is actually vulnerable to a given exploit, saving valuable analysis time.

"Organizations waste a lot of time addressing threats that actually have no impact to their networks," said Martin Roesch, Founder and CTO at Sourcefire. "By combining RNA's real-time network intelligence with Qualys' active scan data, the Sourcefire 3D System can now reduce the number of actionable alerts and allows the customer to focus on the ones that actually impact their environment."

Read More

VeriSign and Qualys have formed a strategic relationship to integrate iDefense intelligence with scanning data from QualysGuard Vulnerability Management (VM). This integration drives immediate availability of two new services that combine advanced, in-depth security threat intelligence and vulnerability scanning data, which enables enterprises to protect critical IT assets from compromise or attack, particularly against zero-day threats and vulnerabilities. Zero-day threats are exploitable security vulnerabilities in software that are discovered before the software vendor has identified them and begun a process for patching.

IDC Security Services analyst, Irida Xheneti commented "As security threats and vulnerabilities continue to evolve, organizations are increasingly looking for tools and solutions that will enable them to proactively prioritize and respond to security attacks in a cost-effective way. Through the integration of the VeriSign iDefense security intelligence with the QualysGuard Vulnerability Management solution, organizations will be able to leverage deep security analysis of their respective environment, security intelligence of current threats and vulnerabilities combined with the ability to prioritize actions to vulnerabilities based on asset criticality."

Read More

Qualys today announced QualysGuard® PCI Connect which is the industry's first Software-as-as-Service (SaaS) ecosystem for PCI compliance connecting merchants to multiple partners and security solutions in order to document and meet all 12 requirements for PCI DSS.

As a new addition to the widely adopted QualysGuard PCI service, PCI Connect streamlines business operations related to PCI compliance and validation for merchants and acquirers all from a combined collaborative application with automated report sharing and distribution. PCI compliance status and tracking is performed on an ongoing basis. Merchants who use QualysGuard PCI Connect can easily identify areas where they may not be meeting compliance requirements. Acquirers who use QualysGuard PCI Connect can easily evaluate whether merchants have met PCI requirements and whether sufficient evidence has been submitted for validation.

QualysGuard PCI Connect offers merchants and acquires the following benefits:

• Automates the collection of data for validations PCI DSS compliance
• Merchants see detailed results including related evidence for all requirements of PCI throughout the entire organization when answering SAQ
• Provides workflow for merchants to track comprehensive compliance status on an ongoing basis 
• Open API to work with any security solution or vendor
• Acquiring bank has additional security controls of merchants when validating merchants for compliance

QualysGuard PCI Connect will be available in July 2009.

Read More

New Release Delivers Open APIs, Comprehensive Technology Coverage, Customized Controls with New Advanced Reporting and Search Capabilities.



New and upgraded Policy Compliance 2.0 features and customer benefits include:

• Open APIs--XML extensible interface allows customers and GRC vendors to programmatically query security and compliance data of systems in scope for compliance initiatives.
• Comprehensive Control Coverage--Due to overwhelming demand, Qualys has been actively involved in receiving and responding to new control requests for current and new technologies. Policy Compliance 2.0 spans multiple operating systems and applications used within the enterprise with mappings to popular compliance frameworks and regulations.
• Trending and Compliance Charts--Many security and compliance tools only show snapshots of compliance at a single point in time, whereas Policy Compliance 2.0 enables compliance and security managers to monitor the ongoing effectiveness of their programs with detailed trend reports.
• Control Cross Reference--IT auditors need to know which compliance configuration and security policies are in effect and what mitigating procedures are initiated when violations occur. Policy Compliance 2.0 includes the ability to 'link' to external content via hyperlink or textual reference, compliance and security personnel can navigate to the appropriate corporate approved mitigating procedure right from the Qualys interface.
• User Defined Controls for Registry Values and ACL's--Qualys is developing a series of User Defined Controls or UDC's that enable users to create their own controls dynamically, as needed, without having to submit control requests to Qualys development. Starting with the registry, users can create controls for expected registry values and ACL's. 
• Search and Performance Improvements--By providing a modular approach to security policy creation, Qualys enables customers to build security policies in QualysGuard that are mapped to existing hardened documents already being used in the customer's IT infrastructure.  To ease identification of matching controls, Qualys has built-in additional search functionality to better enable customers to locate the controls they need.
  

QualysGuard Policy Compliance 2.0 is available as part of the QualysGuard Security and Compliance Suite on May 26, 2009. QualysGuard annual subscriptions are based on the number of systems scanned and include unlimited number of scans and 24x7 support and updates.

Read More

Qualys today announced Web Application Scanning now part of the QualysGuard Security and Compliance Suite. QualysGuard WAS delivers automated crawling and testing for custom Web applications to identify most common vulnerabilities such as those in the OWASP Top 10 and WASC Threat Classification, including SQL injection and cross-site scripting. QualysGuard WAS scales to scan any number of Web applications, internal or external in production or development environments.



QualysGuard WAS features and customer benefits include:

• Crawling & Link Discovery -- An embedded Web crawler parses HTML and some JavaScript to extract links. QualysGuard WAS automatically balances breadth and depth of discovered links to crawl up to 5,000 links per Web application.
• Authentication--QualysGuard WAS incorporates HTTP Basic, Digest and NTLM server-based authentications, as well as Simple form authentication.
• Black List and White List Enforcement--The application prevents the crawler from visiting black-listed links in a Web application and can instruct the crawler to only visit links explicitly defined in a white list.
• Performance Tuning--QualysGuard WAS provides granular, user-determined bandwidth level control for parallel scanning to limit impact on application performance.
• Sensitive Content--The application enables automated expression search for content in HTML, such as a Social Security Number.
• Workflows for Defining Scans and Reviewing Reports--QualysGuard WAS provides logical scan and reporting workflows for each Web application.
  

CEO Philippe Courtot stated: "Web application security is the new frontier in security and a big challenge for most organizations. The automated nature of our new Web application scanning solution will allow our customers and partners to get a clear picture of their Web application security with the ability to scan their entire environment at the push of a button."

QualysGuard WAS is available as part of the QualysGuard Security and Compliance Suite on May 26, 2009. QualysGuard WAS annual subscriptions are based on the number of Web application(s) scanned and include unlimited number of scans and 24x7 support and updates.

Read More
QualyGuard WAS Overview

QualysGuard® PCI 3.1 now supports localized versions of the Self Assessment Questionnaire (SAQ) in all languages provided by the PCI Council as well as localized vulnerability information is Japanese, Chinese and Korean. The localization enables merchants, Approved Scanning Vendors and Qualified Security Assessors to manage the core elements of PCI compliance in their native language. QualysGuard PCI 3.1 includes localization for the following components:

• Vulnerability Knowledgebase - helps merchants understand the vulnerabilities in their native language and provide remediation steps to fix them - now available in Japanese, Chinese and Korean.
• Self Assessment Questionnaire (SAQ) - helps merchants understand PCI requirements and fill out the SAQ in their native language - now available from the PCI Council in French, Spanish, German, Portuguese, Italian and Japanese.
• Online Help - now available in Japanese.
• E-mail Communication of Important Alerts and Registration Process - now available in all languages.
  

Read More

QualysGuard PCI 3.0 now with a Web Application Scanning (WAS) module, combines the application's traditional compliance scanning, remediation and e-filing capabilities with automated web application scanning.  This advancement helps merchants in their efforts to effectively meet requirement 6.6 for maintaining secure web applications. Specifically, the WAS module evaluates web applications before and after deployment. This ensures that the applications are built and maintained in a secure way. Delivered via Software-as-a-Service (SaaS), the WAS module fully automates the scanning of vulnerability types within customized code and allows customers to crawl web applications, identify cross-site scripting vulnerabilities, isolate SQL injection attacks and conduct authenticated and unauthenticated scanning.

Read Press Release
Read Technical Brief

Qualys has implemented a new log-in page for QualysGuard. This new log-in page provides information about product enhancements, changes and updates as well as share information about new tools, tips, and techniques for using QualysGuard Vulnerability Management and Policy Compliance features.

Log-on

QualysGuard Policy Compliance extends QualysGuard global scanning capabilities to collect OS Configuration and Application Access controls from hosts and other assets within the enterprise and maps this information into polices to fix and document compliance with regulations and mandates.

QualysGuard Policy Compliance Benefits:

• Combined agent-less solution for vulnerability and configuration scanning
• Rapid global deployment with the QualysGuard Software-as-a-Service (SaaS) delivery model requiring no software to install or maintain
• Centralized approach to policy definition and management
• Customizable auditing capabilities for multiple regulatory initiatives and mandates including SOX, HIPAA, GLBA, Basel II and others
• Comprehensive instructions and audit trails to review and prove compliance with auditors

For more details, please visit:
http://www.qualys.com/solutions/policy_compliance/

QualysGuard 6.0 enables security managers and key organization executives, including business line managers, members of the board and auditors, to get an on demand view of IT security and compliance within the enterprise. QualysGuard 6.0 offers new metrics reporting supported by scorecards and secure, collaborative report distribution workflows which help operations and IT staff to be efficient and communicate effectively with auditors and executive management.

The new Self-Assessment Questionnaire (SAQ) Version 1.1, issued by the Payment Card Industry (PCI) Security Standards Council (PCI SSC) is now available within QualysGuard PCI.  Implementation of the new SAQ allows customers to complete all versions of the questionnaire online and e-file it securely with their acquiring banks.  The SAQ is available at https://www.pcisecuritystandards.org/tech/saq.htm and consists of four unique forms to meet various business scenarios.

For use primarily by Level 2, 3 and 4 merchants (and some smaller service providers), as defined by the major credit-card brands -- Visa Inc., MasterCard Worldwide, Discover Financial Services, American Express and JCB International -- to validate compliance with the PCI Data Security Standards (PCI DSS). The PCI SSC updated SAQ version 1.0 to better align with PCI DSS version 1.1 and created four variants to ensure merchants only answer questions relevant to their environment. Each of the four variants, labeled A, B, C and D have qualifying questions used to determine which of the four questionnaires a merchant is required to complete.

QualysGuard fully supports all four types of questionnaires, labeled A-D, including the ability to enter online comments for compensating controls, provide remediation action plan for non-compliant sections, complete attestation of the assessment and electronically sign the SAQ online. More details on the QualysGuard PCI implementation or SAQ 1.1 are available at: http://www.qualys.com/docs/QG_PCI_GSG.pdf within the PCI Questionnaires chapter.