Recently in Special Features Category

Missed Wednesday's RSA keynote? Check out Philippe Courtot's keynote in it's entirety as he discusses "Changing Security as We Know It: Our Destiny is in the Cloud"

View Interactive Webcast

BT's SecureThinking: SecureCompliance blog features a new article from Qualys VP of Product Marketing Terry Ramos titled "PCI Compliance is Still a Myriad of Tough Choices on the 'Journey' Towards Compliance." The article discusses how organizations that process, store or transmit credit card data must employ a continuous process to achieve and maintain PCI compliance.

Click here to read the story. Terry Ramos is also the co-author of "PCI Compliance for Dummies."

By Alessandro Perilli, CISSP, Founder and Chief Editor, virtualization.info

Virtualization and Security Expert Alessandro Perilli discusses the future of cloud computing and its security implications.

The data centers of tomorrow will be computing clouds - massive aggregations of resources that are served inside geographically dispersed computers. As customers put their data into these clouds, they don't have to buy the software to manipulate and process their data anymore. They just pay for the time the cloud is used to perform a certain task with their data.
But who will secure these clouds? This piece will discuss the future of computing and its impact on security.

Click here to read the full article.

I believe that the SaaS and Cloud Computing revolution holds the potential to benefit everyone in the software industry, and all who rely on it for their business. For instance, we in the industry are well aware that software is evolving too quickly to keep up. It's a never ending process of software enhancements, upgrades, security fixes, and new installations. And, few would disagree that there are too many vulnerabilities affecting too many applications. In this disorder, most of the burden has fallen on the shoulders of organisations that have had to dedicate extraordinary resources to patch and mitigate the security holes. Here is an interesting statistic that reveals the magnitude of the challenge. According to Qualys' The Laws of Vulnerabilities 2.0 research, companies take an average of 59 days to patch their vulnerabilities. Five years ago, that number was 60 days. That's a reduction of one day in the past five years. When one considers all the effort and automation that has gone into patch management in the past five years, that's not much in the way of improvement. And this shows not just how steep the challenge is, but just how broken the current ecosystem of traditional software is.   

The SaaS approach  
Fortunately, the SaaS and Cloud Computing models are positive disruptions on the infrastructure of both private networks and the Internet. Unlike when individual organisations patch (work that must be duplicated for every installation), when SaaS vendors update their software applications, all of their customers are patched instantaneously as well. Because of this simple fact, many of the security problems that plague today's businesstechnology systems - such as patches and software misconfiguration issues - are solved. Thus, in this, and many other ways, the burden of maintaining a secure application largely is transferred from the software user to the provider. The effect of proper patching is amplified throughout all the IT systems the SaaS and cloud providers touch. For many years it was thought that SaaS would be destined just for SMEs, but today we know that this isn't so; the advantages of cost reductions in staff and infrastructure are as valuable to the large corporate as the small or mid-sized business, particularly in the current economic climate. Cloud Computing offers a delivery model that scales and can reach out to millions - that's the power of the Internet. Once the infrastructure or data centre has been built the cost of adding additional services is minimal and hence the service provider can offer aggressive prices because the overall cost of the infrastructure and the specialist personnel to man it can be amortised over a large number of users. Another massive advantage for customers of SaaS is that it puts the power in the hands of the buyer. They can 'try and buy' solutions with ease and of course they are at liberty to switch vendors if their services don't come up to scratch. What's more whilst vendors have traditionally focused on the enterprise as the customer for hardware and software, the data centre owners will gradually become key customers for the future.

Resistance is Futile
Some still are fighting the shift to SaaS and Cloud Computing. But, I don't believe that resistance to the transformation of onpremise business IT to cloud-based computing is a viable option. Not for long. The business benefits, cost savings, and reduction in complexity are just too compelling for businesses to overlook. Actually, today, the strongest resistance we see is emanating from IT departments, and IT security staff - mainly out of fear of what might happen if one were to lose control of data. But the reality is that businesses have already lost control of data, as evidenced by the constant security breaches that we read about in the media on an almost daily basis. By putting the data in one place it is easier to control access to it. Security in the cloud will follow the pattern of banking where we are comfortable to withdraw our cash from the convenience of an ATM, over the Internet or via our mobile and leave its security to be dealt with by the experts. Nevertheless, despite reservations from IT, businesses will march forward, because the business has no choice but the path that simplifies many of today's IT complexities. And in this, the primary - and strategic - role of IT security will be successfully and securely managing the privacy and security risks associated with data living in the cloud.

While the visible shift to Cloud Computing to date has been the movement of applications and data to the cloud, it's not going to stop there. Soon, the day will come when companies outsource not only their software but their network infrastructure, as well. One day, almost everything we do on private networks - manage information, applications, infrastructure, and services - will be accessible instantly and securely from anywhere and from any Web browser. It's time to prepare.

Full Article

Cloud Cover by Matt Vilano

Data security used to be all about spending big bucks on firewalls to defend data at the network perimeter and on antivirus software to protect individual computers. Internet-based computing, or cloud computing, has changed all that, at the same time expanding exponentially the chances for data thieves and hackers.
 
The cloud creates other opportunities too: a handful of security vendors now deliver security as a service--a one-two punch of hardware and software that monitors and manages an enterprise's data security and bills customers only for the computing power they use. "For years, security was about big companies pushing technology to their customers," says Qualys CEO and founder Philippe Courtot. "Now it's about the customers pulling precisely what they need and providing them with those resources on demand."
 
Under the old paradigm, according to Courtot, enterprises overspent for stand-alone security devices that became unruly and difficult to operate over the long term. He says Qualys attacks the flaws in this strategy by streamlining security and tackling most of the service delivery through the cloud. "We control the infrastructure, software updates, quality assurance and just about everything in between," he says.
 
Much of the company's current revenue--sales topped $50 million last year--is being driven by a set of standards established by the Payment Card Industry Security Standards Council (PCI SSC), a trade organization composed of credit-card companies. The standards were created in 2006 to help organizations that process card payments prevent fraud by tightening controls around customer data. One of those controls: a quarterly audit for network vulnerabilities by a firm from a list of approved vendors that includes Qualys. Analysts estimate that the PCI standards have generated at least $2.5 billion for security vendors in the U.S. "It's been a major driver of business for all of them, especially Qualys," says Avivah Litan, a vice president and analyst at market-research firm Gartner. "When everyone has to comply, there's a lot of work to go around."
 
Qualys aims to increase the depth of its vulnerability-scanning services, reaching further into networks by auditing servers that host and operate certain Web applications for self-propagating virus programs known as malware. It released a special QualysGuard module in April 2008 to achieve this objective. After a series of acquisitions this summer, an improved version will probably be forthcoming in the next 12 to 18 months. "Because of the Internet, the enterprise network is disappearing, and companies need to be ready to protect what's left," Courtot forecasts. Security as a service, it turns out, is a pretty legit business.

Full Article

A new bi-annual report from security experts TippingPoint®, SANS Institute and Qualys® highlights the most significant attacks over the last six months, as well as the vulnerabilities these attacks exploit and how they can harm business. The report shows that many businesses are still extremely vulnerable to security attacks that can damage brand reputations and business operations. It helps businesses to review their defenses and ensure networks are up to date and able to quickly respond to today's emerging attacks.

Key findings of the Top Risks Report include:

• Unpatched popular client-side applications put businesses at risk for data theft: PC applications often remain unpatched, compromising these machines to be used to propagate attacks and compromise internal computers. This leaves a window open for hackers to steal critical data, impact network performance and affect business continuity. Examples of these applications include Adobe Acrobat Reader, Microsoft Office and Apple QuickTime.
  

• The number of Web application attacks is increasing, elevating the threat posed by previously trusted Web sites: Web applications comprise more than 60 percent of the total attack attempts occurring on the Internet. These vulnerabilities are being exploited widely to convert trusted Web sites into malicious servers serving client-side exploits.
  

• Operating system vulnerabilities are decreasing, but still pose a significant threat to an organization's security resources: Operating systems (OS) have a lower number of vulnerabilities that can be remotely exploited to become massive Internet worms. The Conficker/Downadup is the exception and represents a major hole in many organizations' security strategy. Attacks on Microsoft OS were dominated by Conficker/Downadup worm variants. For the past six months, over 90 percent of the attacks recorded for Microsoft targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-067.
  

• A growing number of vulnerability researchers is causing a backlog of unpatched software and a greater risk that these will be exploited. The number of people discovering zero day vulnerabilities is growing fast, yielding a growing number of vulnerabilities that remain unpatched - some for as long as two years. This lag time in patching increases the chance of hackers creating an exploits targeting those vulnerabilities.
  

Full Report

By Philippe Courtot, Chairman and CEO, Qualys

The software industry is entering another age of astonishing innovation. It's a time when not only is software advancing at an astounding rate, but so are hardware devices - where power is increasing as quickly as size is decreasing. This is making software and computing power near ubiquitous.

Consider this: a handful of years ago, few would have believed that customer relationship management software would have moved almost completely to the cloud. Or that Lotus Notes, that gray old lady of IT, would have made the jump as well. Even among the proponents of cloud computing, few believed corporate software and data wanted to be liberated so quickly - and make itself readily available anywhere, anytime, on any device, and from within any web browser. Today, it seems more unusual not to have a software as a service (SaaS) or cloud offering that complements, or completely replaces, a software maker's traditional software applications.

Yet, I believe that the SaaS and cloud computing revolution holds the potential to benefit everyone in the software industry, and all who rely on it for their business. For instance, we in the industry are well aware that software is evolving too quickly. It's a never-ending process of software enhancements, upgrades, security fixes and new installations. And, few would disagree that there are too many vulnerabilities affecting too many applications. In this disorder, most of the burden has fallen on the shoulders of corporations that have had to dedicate extraordinary resources to patch and mitigate the security holes.

Here is an interesting statistic that reveals the magnitude of the challenge. According to Qualys' The Laws of Vulnerabilities 2.0 research, companies take an average of 59 days to patch their vulnerabilities. Five years ago, that number was 60 days. That's a reduction of one day in the past five years. When one considers all the effort and automation that has gone into patch management in the past five years, that's not much in the way of improvement. And this shows not just how steep the challenge is, but just how broken the current ecosystem of traditional software is.

Fortunately, the SaaS and cloud computing models are positive disruptions on the infrastructure of both private networks and the internet. Unlike when individual organizations patch (work that must be duplicated for every installation), when SaaS vendors update their software applications, all of their customers are patched instantaneously as well. Because of this simple fact, many of the security problems that plague today's business-technology systems -- such as patches and software misconfiguration issues -- are solved. So, in this, and many other ways, the burden of maintaining a secure application largely is transferred from the software user to the software service provider. The effect of proper patching is amplified throughout all the IT systems the SaaS and cloud providers touch.

Some still are fighting the shift to SaaS and cloud computing. But, I don't believe that resistance to the transformation of on-premise business IT to cloud computing-based IT is a viable option. Not for long. The business benefits, cost savings and reduction in complexity are just too compelling for businesses to overlook. Actually, today, the strongest resistance we see is emanating from IT departments and IT security staff -- mainly out of fear of what might happen if one were to lose control of data. This is a false choice, and the market will not reward cloud or SaaS providers that attempt customer data lock-in.

Nevertheless, despite reservations from IT, businesses will march forward, because the business has no choice but the path that simplifies many of today's IT complexities. And in this, the primary -- and strategic -- role of IT security will be successfully and securely managing the privacy and security risks associated with data living in the cloud.

While the SaaS and cloud computing revolution is well underway, there still is much work to be achieved before the core infrastructure and associated services are as secure, reliable and trustworthy as they can be. For instance, we need ISPs to coordinate so that network traffic flows more cleanly and is free of malicious packets. We'll also need a simple, universal way to recognize and manage the identities of people and devices.

There also is the crucial business of defining accurately how enterprises can integrate and secure their current infrastructure as more of it is moved to cloud services. For this effort, I encourage all businesses, security professionals, CIOs and vendors to work together to make the transformation as beneficial as possible for all. Some of the organizations working hard to ensure that we build this new cloud infrastructure right from the beginning include the Cloud Security Alliance and the Jericho Forum, both of which are promoting cloud computing best practices.

While the visible shift to cloud computing to date has been the movement of applications and data to the cloud, it's not going to stop there. Soon, the day will come when companies outsource not only their software but their network infrastructure as well. One day, most everything we do on private networks -- manage information, applications, infrastructure and services -- will be accessible instantly and securely from anywhere and from any web browser. It's time to prepare.

Full Article

Listen to David French and Bill Olson, as they provide an overview on the QualysGuard Security + Compliance Suite and the benefits of the SaaS model:

• QualysGuard Security + Compliance SaaS Suite, David French, VP of US Field Operations, Qualys
• QualysGuard Security + Compliance SaaS Suite, Bill Olson, Field Operations Director, Qualys

Missed Thursday's RSA keynote? Check out Philippe Courtot's keynote in it's entirety as he talks about Security's "Inconvenient Truth" and the Impact of Cloud Computing on the Security Industry. 
View Keynote Webcast in a Sized Pop-Up

SC Magazine sits down with Philippe Courtot at the 2009 RSA Conference to discuss security. Questions asked:

• What are the best ways organizations can address compliance and data security issues this year, given the challenging economic climate in which we all find ourselves?
• What problems or challenges is your company facing in the face of a declining economy and how are you and your executives going to overcome these?
• According to SC Magazine's research and many experts in the industry, the information security market may not see as difficult a time in this degraded economy as others since protection of data has become so critical to bottom lines. What are your thoughts on this?
• Speaking of data protection, we're still seeing a great many exposures of personal and critical information, the most recent and largest being the Heartland incident. Where do companies keep making the biggest mistakes in protecting their customers' data?
• As we move through 2009, what will be the biggest threats IT security practitioners will need to be mindful of and what are the ways to best address these?
• More...
  

Read Interview

Just released - "Dummies Guide to PCI Compliance" in conjunction with publisher John Wiley & Sons. This handbook is the first accessible, easy-to-read written guide designed to educate merchant organizations about Payment Card Industry (PCI) Data Security Standard (DSS) which is now a mandatory requirement for companies that store, processes, or transmits payment cardholder data. PCI Compliance for Dummies provides the need to know information about PCI DSS and how merchants can best comply with its requirements for secure results. This book is co-authored by Qualys' Sumedh Thakar and Terry Ramos.

In five succinct parts, the book guides readers through a primer on security risks faced by merchants who accept payment cards and also looks at the PCI requirements themselves and how each applies specifically to the merchant. Readers will also become familiar with best practices and outlined steps to ensure compliance to prevent cardholder data breaches.

To download a free copy, visit http://www.qualys.com/pcifordummies

Independent author Tim Proffitt writes his thesis, as part of his GIAC certification requirements, on how large companies should implement a Vulnerability Assessment Program using QualysGuard. The white paper is hosted in the SANS Institute Reading Room, and provided by SANS as a resource to benefit the security community at large.

In this paper Tim Profitt provides a step-by-step guide for implementing a Vulnerability Assessment Program using QualysGuard, including background and recommendations on how to:

- Create Security Policies and Controls 
- Categorize Assets  
- Discover Assets  
- Configure Hosts and Assets 
- Configure Scan Details  
- Report on Your Results  
- Rank Your Risks and Remediate 
- Handle Verification and False Positives 
- Meet  Compliance

Read White Paper

Just released - "Dummies Guide to Vulnerability Management" in conjunction with publisher John Wiley & Sons. This VM handbook is an easy-to-read and informative guide designed to educate and explain the essentials of vulnerability management, educating readers on selecting the right tools to manage vulnerabilities automatically ensuring that their networks are safe from attacks. In five succinct parts, the book leads readers through a basic understanding of vulnerability management and provides a guide to essential best practices, the various options available, the pros and cons of automated vulnerability management as well as a valuable 10-point checklist for removing existing vulnerabilities in the network. 

To download a free copy, visit http://www.qualys.com/dummies.

Cisco's Doug Dexter, Michael Mucha of Stanford Hospital and Gartner analyst Mike Nicolett in an informative program focused on Security Risk and Compliance Best Practices addressing the vulnerability management lifecycle and technology, security configuration assessments.

See and hear Doug and Michael's approach with insight from Mike Nicolett of Gartner for implementing vulnerability management and the results it has produced for their security organizations. 

To view video, go to: http://www.qualys.com/gartnervideo