Qualys, a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, has announced it is opening up its risk management platform to AppSec teams to bring their own detections to assess, prioritise and remediate the risk associated with first-party software and its embedded open-source components.
In the Digital Transformation era, every organisation develops its own software to run its business. This first-party, or company-developed, software often lacks the disciplined vulnerability and configuration management practices used for third-party software. Studies have shown that over 90% of first-party software includes open-source components while more than 40% have high risks such as exploitable vulnerabilities.
Today, application and security operations teams rely on manual checks or siloed scripts to evaluate the security of first-party software, resulting in ad-hoc security assessment that impedes the ability to prioritise and remediate risk effectively.
Furthermore, traditional vulnerability assessment or software composition analysis tools do not detect the presence of embedded open-source packages across the production environment. As a result, security teams face challenges in comprehending the true risk, particularly in security breaches like the Log4J incident.
The new Qualys solution enables organisations to bring their own detection and remediation scripts created using popular languages like PowerShell and Python to Qualys Vulnerability Management, Detection and Response (VMDR) as Qualys ID (QIDs), which the Qualys Cloud Agent executes in a secure and controlled manner. Qualys TruRisk then detects and prioritises the findings in the same workflow and reporting as used for the third-party software findings.
This empowers application and security teams to leverage their own detections to identify sensitive content, assess critical process and application statuses, tag assets based on sensitive or PII data presence and mitigate risks associated with critical vulnerabilities like Log4J by configuring file parameters or addressing Follina by modifying GPOs/registry settings to efficiently manage the risk arising from both first and third-party sources.
Enhancements to the Qualys Cloud Platform, including Custom Assessments and Remediation via VMDR integrations, will be available by the end of August.
Click below to share this article
