CIO Influence
CIO Influence News Cloud IT and DevOps

Qualys Announces Ground-Breaking First-Party Software Risk Management Solution

Qualys Announces Ground-Breaking First-Party Software Risk Management Solution

Qualys, Inc., a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, announced it is opening up its award winning risk management platform to AppSec teams to bring their own detections to assess, prioritize and remediate the risk associated with first-party software and its embedded open source components.

In the digital transformation era, every organization develops its own software to run its business.This first-party, or company-developed, software often lacks the disciplined vulnerability and configuration management practices used for third-party software.Studies have shown that over 90% of first-party software includes open source components while more than 40% have high risks such as exploitable vulnerabilities.Today, application and security operations teams rely on manual checks or siloed scripts to evaluate the security of first-party software, resulting in ad-hoc security assessment that impedes the ability to prioritize and remediate risk effectively. Furthermore, traditional vulnerability assessment or software composition analysis tools do not detect the presence of embedded open source packages across the production environment. As a result, security teams face challenges in comprehending the true risk, particularly in security breaches like the Log4J incident.

CIO INFLUENCE: CIO Influence Interview with Russ Ernst, Chief Technology Officer at Blancco

The new Qualys solution enables organizations to bring their own detection and remediation scripts created using popular languages like PowerShell and Python to Qualys Vulnerability Management, Detection and Response (VMDR) as Qualys ID (QIDs), which the Qualys Cloud Agent executes in a secure and controlled manner.Qualys TruRisk then detects and prioritizes the findings in the same workflow and reporting as used for the third-party software findings. This empowers application and security teams to leverage their own detections to identify sensitive content, assess critical process and application statuses, tag assets based on sensitive or PII data presence, and mitigate risks associated with critical vulnerabilities like Log4J by configuring file parameters or addressing Follina by modifying GPOs/registry settings to efficiently manage the risk arising from both first and third-party sources.

“In our complex enterprise environment, we’ve often encountered situations where our security needs surpassed the capabilities of off-the-shelf software,” said Gabriel Julián CarreraCISO at OSED. “Consequently, we’ve resorted to pulling together independent scripts to achieve the assessments our unique homegrown solutions require. Qualys‘ new offering eliminates this fragmented approach by seamlessly integrating our proprietary assessments and commercial tools into one unified Qualys TruRisk Platform saving us time and helping us stay ahead of potential attackers.”

The new Qualys platform capabilities allow teams to:

Easily Build Your Own Signatures: Create Qualys Detections (QIDs) and remediations based on your own logic or scripts leveraging major scripting languages such as PythonPowerShell and others. These detections integrate directly into VMDR workflows and TruRisk scoring, helping SecOps teams unify and manage risk across first and third-party applications in their environment.

CIO INFLUENCE: CIO Influence Interview with Bill Lobig, VP of Product Management at IBM Automation

Proactively Detect, Manage and Reduce Supply Chain Risks: Get continuous, real-time visibility into deeply embedded open source software packages, such as Log4JopenSSL and commercial software components leveraging the Qualys Cloud Agent. Qualys TruRisk then prioritizes and correlates the information based on data from over 25 threat feeds and the asset’s business criticality. This information allows security teams to rapidly mitigate the risk of high-profile security issues such as zero-day threats and Log4J outbreaks by crafting custom detection and responses.

Effectively Communicate Risk with Unified Reporting and Dashboarding: With native integration to VMDR workflows, effectively communicate the unified view of risk in first and third-party software to the right stakeholders via real-time dashboards and reports. Integration with ticketing systems such as ServiceNow and JIRA enables the automatic assigning of detailed remediation tickets to the right owners through a common view to quickly close tickets and reduce risk.

First-party applications, being proprietary, often lack adequate risk detection, prioritization and remediation support from scanning tools,” said Sumedh Thakar, president and CEO of Qualys. “Our first-in industry capabilities enable organizations to leverage the Qualys platform’s capabilities, identifying and analyzing both first-party and third-party software risks to develop an overall TruRisk score for a comprehensive view of the organization’s overall risk.”

CIO INFLUENCE: CIO Influence Interview with Antoine Jebara, Co-Founder and GM, MSP Products at JumpCloud

[To share your insights with us, please write to sghosh@martechseries.com]

Related posts

DataGrail Launches First-of-its-Kind Risk Monitor Product to Deliver Privacy Risk Assessments in Real-Time

CIO Influence News Desk

Businesses Risk Up To £92M Lost Revenue With Ineffective Software Delivery

CIO Influence News Desk

AT&T Fiber Customers Can Level Up on Internet Speeds and Security Features at No Extra Charge

CIO Influence News Desk