Qualys, Inc., a provider of revolutionary cloud-based IT, security, and compliance solutions, has announced a groundbreaking move by opening its renowned risk management platform to Application Security (AppSec) teams. This strategic step enables these teams to customize their own detections, empowering them to evaluate, prioritize, and address risks associated with in-house software and its embedded open-source components.
In the age of digital transformation, every organization develops its proprietary software to drive its operations. This “first-party” software, originating from within the company, often lacks the stringent vulnerability and configuration management practices commonly applied to third-party software. Studies reveal that over 90% of first-party software integrates open-source components, with more than 40% harboring high-risk elements such as exploitable vulnerabilities. At present, app and security operations teams rely on manual checks or isolated scripts to assess the security of first-party software. This approach leads to ad-hoc security evaluations, impeding the effective prioritization and resolution of risks. Additionally, traditional tools for vulnerability assessment and software composition analysis fail to identify embedded open-source packages within the production environment. Consequently, security teams grapple with comprehending the true extent of risk, particularly in the wake of security breaches like the Log4J incident.
The innovative Qualys solution empowers organizations to bring their own detection and remediation scripts, created using popular languages such as PowerShell and Python, into Qualys Vulnerability Management, Detection, and Response (VMDR) as Qualys IDs (QIDs). The Qualys Cloud Agent then securely and controllably executes these scripts. Qualys TruRisk subsequently identifies and prioritizes these findings using the same workflow and reporting mechanisms employed for third-party software findings. This empowers application and security teams to leverage their unique detections to uncover sensitive content, evaluate critical process and application statuses, label assets based on the presence of sensitive or Personally Identifiable Information (PII) data, and mitigate risks stemming from critical vulnerabilities like Log4J. This can be achieved by configuring file parameters or addressing Follina through the modification of Group Policy Objects (GPOs) and registry settings. Thus, both first-party and third-party sources of risk can be effectively managed.
1. Seamless Custom Signatures Creation: Develop Qualys Detections (QIDs) and corresponding remedies based on individual logic or scripts using prominent scripting languages like Python and PowerShell. These custom detections seamlessly integrate into VMDR workflows and TruRisk scoring, enabling Security Operations (SecOps) teams to harmoniously manage risk across both first and third-party applications within their operational landscape.
2. Proactive Detection and Management of Supply Chain Risks: Obtain continuous, real-time visibility into deeply embedded open-source software packages, such as Log4J, openSSL, and commercial software components. Leveraging the Qualys Cloud Agent, Qualys TruRisk assigns priority and correlation based on information sourced from over 25 threat feeds and asset business criticality. This empowers security teams to swiftly mitigate the risk of prominent security issues, including zero-day threats and Log4J outbreaks, through the creation of tailored detections and responses.
3. Unified Reporting and Dashboarding for Effective Risk Communication: Through native integration with VMDR workflows, effortlessly communicate a consolidated view of risk present in both first and third-party software to pertinent stakeholders via real-time dashboards and reports. Integration with ticketing systems such as ServiceNow and JIRA streamlines the process of automatically assigning detailed remediation tickets to relevant stakeholders. This common interface expedites ticket resolution and reduces overall risk.
Sumedh Thakar, President and CEO of Qualys, highlighted, “First-party applications, being proprietary, often lack adequate risk detection, prioritization, and remediation support from scanning tools. Our pioneering capabilities in the industry empower organizations to harness the Qualys platform’s potential, allowing them to assess and analyze risks associated with both first-party and third-party software. This holistic approach contributes to the development of an encompassing TruRisk score, offering a comprehensive overview of an organization’s overall risk landscape.”