Qualys, Inc., a provider of cloud-based IT, security, and compliance solutions, has announced that it is opening up its risk management platform to AppSec teams. The goal is to allow these teams to bring their own detections to assess, prioritize, and remediate the risk associated with first-party software and its embedded open-source components.
In today’s digital transformation era, every organization develops its own software to run its business. However, this first-party software often lacks the disciplined vulnerability and configuration management practices used for third-party software. Studies have shown that over 90% of first-party software includes open-source components, with more than 40% having high risks such as exploitable vulnerabilities. Currently, application and security operations teams rely on manual checks or siloed scripts to evaluate the security of first-party software. This ad-hoc security assessment impedes the ability to prioritize and remediate risk effectively. Additionally, traditional vulnerability assessment or software composition analysis tools do not detect the presence of embedded open-source packages across the production environment. This poses challenges for security teams in comprehending the true risk, especially in security breaches like the recent Log4J incident.
Qualys’ new solution allows organizations to bring their own detection and remediation scripts, developed using popular languages like PowerShell and Python, to Qualys Vulnerability Management, Detection and Response (VMDR). These scripts, known as Qualys ID (QIDs), are executed by the Qualys Cloud Agent in a secure and controlled manner. The findings are then detected and prioritized by Qualys TruRisk, alongside the findings from third-party software, using the same workflow and reporting. This empowers application and security teams to leverage their own detections and assess critical process and application statuses, identify sensitive content, tag assets based on sensitive or PII data presence, and mitigate risks associated with critical vulnerabilities like Log4J.
Gabriel Julián Carrera, CISO at OSDE, mentioned that their complex enterprise environment often required the use of independent scripts to achieve the assessments their unique homegrown solutions required. He believes that Qualys’ new offering eliminates this fragmented approach by seamlessly integrating proprietary assessments and commercial tools into one unified Qualys TruRisk Platform. This saves time and helps the organization stay ahead of potential attackers.
The new Qualys platform capabilities enable teams to easily build their own signatures using major scripting languages such as Python and PowerShell. These signatures integrate directly into VMDR workflows and TruRisk scoring, allowing SecOps teams to unify and manage risk across both first and third-party applications. The platform also provides real-time visibility into deeply embedded open-source software packages, such as Log4J and OpenSSL, as well as commercial software components. Qualys TruRisk prioritizes and correlates this information based on data from over 25 threat feeds and the asset’s business criticality. This enables security teams to efficiently detect, manage, and reduce supply chain risks, including high-profile security issues such as zero-day threats and Log4J outbreaks. The platform also offers unified reporting and dashboarding, allowing for effective communication of risk in first and third-party software to the appropriate stakeholders. Integration with ticketing systems such as ServiceNow and JIRA enables the automatic assignment of detailed remediation tickets to the right owners, facilitating quick closure and risk reduction.
Sumedh Thakar, president and CEO of Qualys, highlighted that first-party applications often lack adequate risk detection, prioritization, and remediation support from scanning tools. He believes that Qualys’ first-in-industry capabilities allow organizations to leverage the Qualys platform’s capabilities, identifying and analyzing both first-party and third-party software risks to develop an overall TruRisk score for a comprehensive view of the organization’s overall risk.
Enhancements to the Qualys Cloud Platform, including Custom Assessments and Remediation via VMDR integrations, will be available by the end of August. Organizations can sign up for a free trial on the Qualys website to experience these new features. Additionally, Qualys will be showcasing its first-party solution at Black Hat USA in booth 1320.
With more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100, Qualys is a pioneer and leading provider of disruptive cloud-based security, compliance, and IT solutions. The Qualys Cloud Platform offers critical security intelligence and automation for vulnerability detection, compliance, and protection across various IT systems and platforms. The platform leverages a single agent to continuously deliver security intelligence and integrates with major cloud service providers and managed service providers. Founded in 1999, Qualys has become a trusted partner for organizations looking to streamline and automate their security and compliance solutions.
In conclusion, Qualys’ decision to open up its risk management platform to AppSec teams is aimed at addressing the challenges organizations face in assessing and mitigating risks associated with their first-party software. By allowing teams to bring their own detections and leveraging popular scripting languages, Qualys aims to provide a unified platform for managing risk across both first and third-party applications. This move is expected to streamline security assessments and improve the overall security posture of organizations.