Cloud computing is all the rage now. But Qualys, a fast-growing Redwood City-based network security firm, was a pioneer in offering computing applications and services over the Internet when it was founded in 1999. And Qualys is poised for more growth as cloud computing caters to companies looking for ways to avoid costly licensed products during a recession. Today, Qualys is almost an insider, with nearly 40 Fortune 100 companies among its 4,000 customers and revenue growing quickly.

John Pescatore, vice president of Internet security at Gartner, said that Qualys is a top-rated vendor, was indeed a leader in providing security as a service, and has a reputation for making clients happy. "They have a really good reputation for customer service," he said. "They are not tremendously differentiated technologically anymore." Qualys got out front with its vulnerability assessment service, its first product, and it has become an industry leader in providing credit card database security, Pescatore said. Customers for those products include General Electric, Google, eBay, DuPont, Hershey Foods, BASF, Hewlett-Packard and even Symantec.
 
This year, Qualys introduced two less innovative products, a policy compliance tool in June, and a web application scanning service last month, that are similar to what other companies like Symantec and Whitehat, respectively, already offer, Pescatore said. Qualys has an advantage, Philippe Courtot, Chairman & CEO of Qualys said, in that it can instantly add new services to its platform without customers having to spend major capital for equipment, software or labor. In addition, clients can instantly scale up or down based on their needs because Qualys is subscription-based. Pescatore said the ability to layer on new services easily could be a big advantage, particularly given Qualys' excellent relationships with its
clients.
 
Courtot said Qualys, which is profitable, reinvests 25 percent of its revenue in research and development. It now employs 210 people, up from 194 last year, with about half of them at its headquarters in Redwood Shores. Qualys is one of a handful of software-as-a-service pathbreakers, like Salesforce.com and Netsuite, that survived the bursting of the Internet bubble and a retrenchment in venture capital investing, and today are leading the charge into the cloud, he said.
 
Read More

While security managers find it challenging enough to maintain secure patch levels across their organisations' desktops, servers and networking gear, there's a new class of network equipment that you'll need to add to the list: high-end networked scanners, copiers, printers and multi-function devices.These may not be the devices most targeted for attack right now, but they're likely to move up that list very soon.

First, the manufacturers are increasingly moving away from proprietary operating systems and software that run these devices in favour of readily-available operating systems. Second, there has been heightened visibility regarding the vulnerabilities associated with these devices, including a presentation at this year's Black Hat security conference. Recently, while at a customer site, we identified vulnerabilities on a networked printer that left the organisation open to attack.

Until recently, these types of devices were based on specialised software running on RISC-based processors, and few attackers had the knowledge or skills necessary to identify and exploit the vulnerabilities that would make a successful attack possible. Today, more of these devices are built on traditional Intel processors running common operating systems such as Linux, and even Apache Web server software. That's why high-end multi-function devices and printers are beginning to look amazingly similar to any other IT appliance attached to the network.

The result is that they're now vulnerable to the same types of attacks as standard desktops and servers, and can be used as a potential jump-point to other devices and systems, to even monitor data traveling across the network, or be used to launch DoS attacks. And the data actually residing on these devices can be critical, even regulated. More and more of these devices are coming equipped with hard disks, and everything copied can be cached.

Read More

The out-of-band security update fixes a a vulnerability can be exploited through JavaScript code posted on malicious Web sites. Internet Explorer users may be redirected to these sites through hacked legitimate sites. If the malicious code is successful, it silently downloads malware onto the victim's computer. Microsoft security researchers estimated that as many as 1 in 500 users of Internet Explorer could have been exposed to malware attempting to exploit the flaw. Microsoft is urging users of IE to test and deploy this update as soon as possible.

Qualys customers can immediately audit their networks for this vulnerability by accessing their QualysGuard subscription and performing the following check:

QID: 100067: Microsoft Internet Explorer Pointer Reference Memory Corruption (MS08-078)

Read More

Optimism around software-as-a-service appears strong, with 90 percent of organisations expecting to maintain or grow their use of software based on the model, according to Gartner.

The analyst company recently released a report on a global user survey that found cost-effectiveness, and ease and speed of deployment were "primary reasons" for enterprises adopting SaaS (software as a service).

Companies moving to SaaS also looked to the model to help lower their TCO (total cost of ownership) and to solve issues with "unmet performance expectations" with their on-premise implementations.

Sharon Mertz, research director at Gartner, said on Wednesday in a statement: "Use of SaaS has been evolving during the past decade and the SaaS model has become increasingly popular over the past three or four years."

"When asked why their organisations were transitioning from a current on-premises solution to a SaaS solution, respondents' consistent message was that the TCO [for on-premise solutions] was becoming too financially onerous."

Together with budget cuts next year, Gartner expects the focus on driving down TCO to foster greater demand for SaaS compared to on-premise purchases.

Read More

If your business accepts credit card payments it must be compliant with Payment Card Industry (PCI) and the way you handle that data is now governed by Payment Card Industry Data Security Storage Standards (PCI DSS), not as a matter of law, but as part of your contract with the credit card companies whose cards you accept. Inc.com's Minda Zetlin outlines the latest requirements in "What New PCI Standards Mean to You.

1. WEP is disallowed.
2. All systems "commonly affected" by malware must run anti-malware software. 
3. Application firewalls are mandatory for Web applications. 
4. Logs must be saved for a year. 
5. New-user passwords must be changed. 

Read More

Indusface Consulting, an end-to-end Information Security Services company, announces it has joined with Qualys to differentiate and expand its solutions offering with network security, operations efficiency and risk reduction for their clients while leveraging the flexibility of the Qualys Software-as-a-Service (SaaS) model.

"We have developed a strong consulting team that possess the technology know-how to deliver world class security services and solutions to our clients, said Ashish Tandon, Chief Executive Officer, Indusface Consulting. "Collaborating with Qualys further extends our ability to offer practical solutions that we can confidently apply across a broad range of industry verticals and customer sectors."

Read More

There's been considerable discussion recently about how automatic software updates, such as those to download security patches, can be used as potential vectors of attack. This is unfortunate, as one of the primary tenets of keeping systems relatively secure is to maintain current patch levels. And when most users, including probably most businesses, need to update their systems, they tend to trust and download the updates presented to them without confirming their authenticity.

In SC Magazine's Hot or Not: Software update vulnerabilities, Amol Sarwate of the Qualys Vulnerabilities Research Lab discusses how automatic update features in many software applications are proving to be vulnerable to attack now that hackers are taking notice. 

Read Article

Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 9 new vulnerabilities present in Microsoft Windows. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Microsoft released on December 9, 8 security patches to fix newly discovered flaws in Microsoft Windows. Microsoft has also released 1 advisory that currenlty does not have a patch. The Qualys Vulnerability R&D Lab has released the following checks for these new vulnerabilities, including:

        - Microsoft Wordpad Text Converter Vulnerability
        - Microsoft Visual Basic Runtime Extended Files Remote Code Execution Vulnerability
        - Microsoft Windows GDI+ Remote Code Execution Vulnerability
        - Microsoft Word Multiple Remote Code Execution Vulnerabilities
        - Microsoft Internet Explorer Cumulative Security Update
        - Microsoft Excel Multiple Remote Code Execution Vulnerabilities
        - Microsoft Windows Search Remote Code Execution Vulnerability
        - Microsoft Windows Media Components Remote Code Execution Vulnerability

Read Alert
Listen to Podcast

Related Coverage:
Microsoft Slates 8 Bug Updates for Year's Final Patch Tuesday, by Gregg Keizer, Computerworld
Windows Users Indifferent to Microsoft Patch Alarm, by Gregg Keizer, Computerworld
Zero-Day Bug Discovered In IE7, by Tim Wilson, DarkReading
Hackers Having Field Day With IE Zero Day Attacks, by Erika Morphy, TechNewsWorld

As a finalist in the Readers Trust Awards, which honors best-in-class security products and services, Qualys is nominated for:

-- Best Vulnerability Management Solution for QualysGuard
 
As a multiple nominee for the Excellence Award, which honors companies with superior security products, Qualys is also nominated for:  

-- Best Security Company
-- Best Enterprise Security Solution for QualysGuard Enterprise
-- Best SME Security Solution for QualysGuard Express

Winners of this year's SC Awards will be announced at a gala dinner and award ceremony to be held in San Francisco on April 21, 2009 in conjunction with the RSA Conference.

"Vendors have to go well beyond the requirements of SLAs if they want to keep their customers," said InternetNews' Richard Adhikari from one of the panel discussions at SIIA On Demand - the Software Information Industry Association's conference on SaaS.

Panelist Philippe Courtot, chairman and CEO of Qualys, added - "It is critical for SaaS players to exceed SLAs because there are few obstacles to a customer abandoning one supplier in favor of another.  It's much easier to switch from a SaaS application than a normal application because you don't have to pull out the application and replace it and test it and secure it.  

"In the future, customers will demand more from SaaS vendors," Courtot warned. "I can see that, in the near future, they would want guarantees of quality of service, guarantees of security of data, guarantees of data privacy."

Read More

Qualys has been chosen as one of Deloitte's 2008 Technology Fast 500, a ranking of today's fastest growing technology, media, telecommunications and life sciences companies in North America. This industry distinction comes just several weeks after the company's most recent achievement as a Deloitte Silicon Valley Fast 50 where Qualys ranked #37 by demonstrating a five-year growth rate of 492 percent from 2003-2007. The five-year growth rate criteria was also used in selecting the Fast 500 companies placing Qualys as # 307 on the expanded list of industry notables.

"Being recognized as one of the fastest growing companies in North America is an honor that we share with our customers who from the beginning believed in our Software-as-a-Service solution for IT security and compliance management," said Philippe Courtot, Qualys CEO.  "We thank Deloitte for the ranking that underscores our efforts to help organization worldwide get a clear view on their IT security and achieve compliance."

Read More

Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 2 new vulnerabilities present in Microsoft Windows. Customers can immediately audit their networks for these and other recent vulnerabilities by accessing their QualysGuard subscription.

Microsoft released on November 11, 2 security patches to fix newly discovered flaws in Microsoft Windows. The Qualys Vulnerability R&D Lab has released the following checks for these new vulnerabilities:

- Microsoft SMB Could Allow Remote Code Execution
- Microsoft XML Core Services Remote Code Execution Vulnerability

Read Alert
Listen to Podcast

Related Coverage:
Microsoft Patches Long-Known Windows Bugs, by Gregg Keizer, Computerworld
Microsoft Doles Out Two Patches for Four Flaws, by Dan Kaplan, SC Magazine
Teed Up for November: Office, Windows Fixes, by Andy Patrizio, InternetNews.com

InformationWeek discovers how IT can implement an effective vulnerability management program that works.  

For an effective vulnerability management that works -- apply risk management principles and logic relative to the business value. IT must also engage across business units to determine a company-wide security posture that is within acceptable risk tolerance levels, create operational processes that address the computing environment as a whole, and select the right technology platforms to bolster those processes.Critical steps to break the cycle of ineffectiveness:

    Step 1: Integrate Data Collection
    Step 2: Prioritize
    Step 3: Continue to Refine

Read More

InformationWeek outlines four principles to achieve ongoing vulnerability management success:

Principle 1: Focus on Output, Not Input
Tools are only a means to an end. Data collection is a fundamental requirement for vulnerability management, but providing timely, accurate, contextual reports to appropriate individuals is critical. Many organizations develop programs that generate vast amounts of data, but struggle to make it actionable and measurable.

Principle 2: Align with Business Processes
Vulnerability management process integration with and awareness of business processes is critical to understanding enterprise risk and focusing on the areas that matter most.

Principle 3: Continue to Integrate Technologies
Incorporating change and configuration technologies will increase the reliability of data, build accurate reporting, and increase overall effectiveness in lowering enterprise risk and achieving compliance objectives.

Principle 4: Leverage Measurement and Promote Visibility
Defining key performance indicators, such as an acceptable host-to-vulnerability ratio, and using measurement tools will help focus the program on activities that will have the most impact.

Read More

The Silicon Valley Technology Fast 50 Program honors the fastest growing software and information technology companies in the San Francisco Bay Area. Don McCauley, Qualys CFO Qualys accepted this honor at The Computer History Museum on October 30th.

"We are pleased to be regarded by Deloitte as one of the fastest growing software and information technology companies in Silicon Valley," said Philippe Courtot, Qualys CEO.  "We share this recognition with our customers who understand the value of Software as a Service.  It is through the customer adoption of this innovative platform that we continue to experience growth and we extend a thank you to our customers for making this achievement possible."

Read More

Nils is responsible for security, risk management and business continuity planning, including the security of the QualysGuard platform. Additionally, with his working industry knowledge, Nils will oversee Qualys' CSO Advisory board which main charter is to collaborate with other CSOs and industry leaders to offer real-world expertise in forging and implementing security and compliance best practices.

He stated: "Qualys has differentiated itself within the industry with its SaaS delivery platform and by keeping attention focused on the needs of the customer. I am looking forward to work with the Qualys team and with other CSOs in the industry to collaborate on real-life security and compliance issues and come up with best practices to address them."

Read More

"Our partnership with Tata Communications allows them to offer their global customer base a proven, scalable and cost effective solution to help these organizations improve their security and streamline compliance initiatives. We are pleased to partner with such a world class organization and look forward to working with them" said Philippe Courtot, Qualys CEO.

John Landau, Senior Vice President of Global Managed Services for Tata Communications spoke about the company's latest launch saying  - "Effectively managing vulnerabilities to best-practice levels, in-house, is an expensive and difficult undertaking for businesses of any size. Mistakes can lead to crippling service downtime, potential data corruption, and the risk of being non-compliant. Tata's vulnerability management service helps organizations wrap their arms around which critical systems need patching at a drastically reduced total cost of ownership. There is no investment in capital or special skills required. The service allows customers both large and small to offload the grinding technical and operational aspects of vulnerability management while retaining control over decision-making and the actual remediation process."

Read More

In this MarketScope report, Gartner details the challenges and tools to consider when evaluating and deploying Vulnerability Assessment technologies. MarketScope includes Gartner's vendor rating where Qualys received the highest possible rating ('Strong Positive').

Read Report

This talk will examine how the adoption of Web 2.0 and consumer technologies impact application security and how you should respond to the new requirements. Topics covered:

• Global trends and the enterprise security impact of Web 2.0 adoption, de-perimeterization, and the consumerization of corporate IT.
• Steps information security professionals can follow to strengthen application security, especially in an open and collaborative environment.
• An overall application security maturity model, and steps to create best-practices for application security.

Register

As an honoree of Information Security's Security 7 award, Michael Mucha addresses Security for the Masses highlighting his team's attention to secure collaboration and proactive investments in SaaS and other outsourcing ventures enabling focus on risks specific to the Stanford Hospital environment.

Read Essay