QualysGuard InfoDay 2013 - Web Application Firewall
RoadMap in the Cloud (2011)
1. QualysGuard
RoadMap in the Cloud …
Marek Skalicky, CISM, CRISC June 15, 2011
Regional Account Manager for Central & Adriatic Eastern Europe
2. QualysGuard Suite
IT Security Risk & Compliance Platform and Applications
New definition of QG Security & Compliance Suite
QualysGuard On Demand Portal
Analyze Comply Protect
Vulnerability Management Policy Compliance / FDCC Web Application Firewall*
Web Application Scan PCI Compliance IDS/IPS Signatures*
Malware Detection Qualys Seal
Self-Service Scan* Compliance Management*
QualysGuard SaaS Technology Platform
Scanners & Sensors Open APIs & Integrations
3. Migration Plan to new platform
Web 2.0 UI (EXT)
Application Optimized & Integrated
JSON API Web Services API
(Qualys Platform Services)
Q2/Q3
Current PHP Q3/Q4 Next Generation
Platform Java Platform
Q4/Q1
New Scanner Interface Virtual Scanner
Existing & New Scanners platform
2011
2
4. Major Enhancements:
JavaScript Interface with Web Services for Actions & Data
Highly Dynamic Interface
− ExtJS Library Based Widgets
− JS Compression and Compilation
− Separated Display-and-Service Architecture
Single Service / Any UI / Export
− Allows Easy Re-Use
− Easily Scriptable & Highly Accessible
− Wide Range of Outputs (doc, xls, pdf, xml, ppt)
Easily Leveraged in Other Applications
− QualysGuard-accessible
− Customer-accessible
− Partner-accessible
3
5. Major Enhancements:
Tag-Based Organization & Security
Dynamic Tags
− Many Rule Engines & Customization Options
− Fast Re-Evaluation
− Manual and Scan-Based Updates
Hierarchical Tags
− Allow for Inheritance in Security
− Allows Easy Roll-Up Grouping
− Works in all Modules (Reporting, etc…)
Security-by-Tag
− Allow Access Based on one or More Tags
− Dynamic & Static Security, Easier Maintenance
4
8. Roadmap Summary
Products H1 2011 H2 2011 2012 +
• WAS 2.0 beta • WAS 2.0 GA
• VM on new platform
Analyze • MAL 1.0 GA • PC on new platform
• New discovery wizard
VM, WAS, MAL • Exploit integrations ✓ • Reporting enhancements
• New ticketing integration
• Template library ✓ • Web app fingerprinting
Compliance • Secure Seal GA • POL on new platform
• Compliance Manager beta
POL, FDCC • PCI ASV 1.2 support ✓ • UCF support
PCI, Seal • Policy locking • IT GRC Integrations
Protect • WAF beta
WAF • IDS Signatures beta
IDS
• New scheduler (JobD) • vScanner for Amazon • vScanner for Data Center
Platform • CyberArk auth records ✓ • vScanner for Consultant • Scheduled reporting
• Verisign VIP 2-facto ✓ • New remediation engine • Dynamic asset tagging
7
9. Qualys + Cyber-Ark PIM
Integration
Cyber-Ark Privileged Identity Management
For GQ authenticated scanning
Using Cyber-Ark Password Vault
Local encrypted credentials storage
Very easy to implement
1 day project including C-A implementation
References: Rabobank, Discover, CNB
Very low costs of integration
Zero costs for existing Cyber-Ark customers
Special discount for Qualys customers
10. VeriSign VIP Two-factor
Authentication
1) Download free SW Token 2) Edit user settings in QG
https://vipmobile.verisign.com/supportedphones.v
3) Login with VeriSign VIP
11. Virtualization Roadmap
Purpose: develop software-based scanner appliances which
run under irtualization engines (VMware, Xen, HyperV)
Multiple versions:
− Consultant & Express: based on VMware Workstation/Player, to be
run on laptops and SMB servers;
− Enterprise versions: Intended for data centers, integrated with
centralized management systems as VMware vSphere, Xen, HyperV
− Amazon EC/2 version: Intended for scanning EC/2 targets
− Amazon VPC version: Intended for scanning VPC targets
10
15. Malware Knowledgebase
Information added for Malware Code Availability
Following resources used:
Trend Micro Malware Knowledgebase
Others malware resources coming…
16. 3 Solution categories
Solution description categories:
Vendor Patch available
Workaround available
Virtual Patch available
Trend Micro Deep Inspection signatures
Other IDS/IPS vendors coming…
17. VM Report Templates
Map Reports: Remediation Reports:
Map Result (list / graphical map) • Tickets per Asset Group / Business Unit
Unknown Device Report • Tickets per User
Asset Reports: • Tickets per Vulnerability
Assets for selected OS / SW / Port / Service • Executive Remediation Report
Assets at risk of Malware v.1 • Patchable High-priority Vulnerabilities v.1
Assets at risk of Exploits v.1 • Disabled/Ignored Vulnerabilities v.1
Assets with Obsolete Software v.1 • Patchable High-priority Vulnerabilities v.1
Virtually Patchable Assets v.1
• Remediated Vulnerabilities Last 30 Days v.1
Scan Reports: • Qualys Patch Report per IP / Asset Group / BU
Scan Result (full technical report) • Critical Patches Required v.1
Executive Scan Report • Tickets ScoreCard Reports
Technical Scan Report • The Most Prevalent Vulnerabilities Report
High Severity Report • The Most Vulnerable Hosts
Payment Card Industry Executive Report
Payment Card Industry Technical Report Additional Qualys Reports
Vulnerability ScoreCard Reports
• Qualys TOP 20 Benchmark report
• SANS TOP 20 Benchmark report
• Authentication Verification Report
18. Asset Tagging
Organize assets via multiple hierarchies
− By technology (Windows, Unix)
− By business unit (Consumer Products, Commercial, etc.)
− By business processes (Accounting, Controlling, Clearing..
Assets can have multiple tags
− 10.1.1.1 is “NY SOC”, “Unix Servers”, and “Finance Servers”,
Accounting process, Controlling process, …
Both static and dynamic tags
− Rules-based engine for assigning tags on attributes
User access is defined by tags
− Permissions can be grouped into user-defined Roles
17
21. POL Report Templates
Policy Compliance Reports
Summary Compliance report with trends
Technical Compliance report with control description and evidence
Compliance status by Hosts (Pass / Fail / Exceptions / All)
Compliance status by Policy and Controls (Pass / Fail / Exceptions / All)
Individual Policy & Control status over company
Individual Host compliance status
Other Compliance Reports
Authentication Verification Report
Payment Card Industry Executive Report
Payment Card Industry Technical Report
24. QG PCI Compliance Workflow
Qualys provide full ASV service:
Network mapping & Vulnerability scanning attestation
ASV Scan Final Certification report (Executive and Technical)
PCI Self Assessment Questionnaire
ASV insurance
ASV support
25. QualysGuard PCI
2011 Roadmap
PCI 5.4
− PCI Mobile app (iPhone, iPAD, Android)
− Consolidated Action Plan Updates
PCI 5.x
− User Roles / Permissions
− Scan Progress Indicator
− General Comments in Certified Reports
24 COMPANY CONFIDENTIAL
28. Roadmap 2011
Cross-Site Request Forgery (CSRF) detection
− Identify forms with a security context
Improved crawling capabilities
− XmlHttpRequest object and "AJAX" to better handle asynchronous
requests and DOM updates
− Web service interfaces
Cross-Site Scripting (XSS) improvements
− Better analysis of "DOM verification failed" results
Improved reporting
− Click paths to reproduce vulnerabilities
− Screenshots of landing pages, vulnerabilities
27
29. QualysGuard WAS 2.0 Application
New User Interface
New interface style – new platform technology
− Clarity for WAS interactions
− New functions:
Web Application Dashboard
Web Application Catalog
Web Application View
Enhanced user experience
− Interactive views to meet user expectations
− Direct access to meaningful information
− New Wizards to guide application creation & management
28
30. QualysGuard WAS 2.0 Application
WAS Dashboard
Dedicated dashboard for WAS application
− Offers graph, chart and grid widgets for all WAS data points
− Provides direct and global overview of Web Application inventory
− Modular architecture allows seemless introduction of new widgets
29
31. QualysGuard WAS 2.0 Application
Web Application Catalog
Web Application Discovery and Management
− Automatically discover web applications, using existing VM scan and map results
− Management workflows guide users to gather additional information and comments and
associate them with the web application
30
32. QualysGuard WAS 2.0 Application
Web Application View
Web application full overview
− Web application summary and current security exposure
− Web application current vulnerabilities, sensitive contents and information gathered
− Associated scan results and schedules
All web application workflows directly available
− Edit Settings
− Launch Scan
− Schedule scan…
31
33. QualysGuard WAS 2.0 Application
Enhanced scan results
Interactive scan results
− Vulnerabilities, Sensitive Contents and Information Gathered can be dynamically
searched and filtered
− Better user experience to prevent long results to be scrolled
32
34. QualysGuard WAS 2.0 Application
New Features & Enhancements
Management
− User-Defined Password Bruteforcing Lists
− Full-text search in all datalists
Scan Workflows
− Relaunch scan workflow
− Include vulnerability count in scan summary emails
Scan Results
− Authentication status available immediately
− Integration of OWASP, WASC and CWE Ids
− Highlight proof in scan results
33
36. QualysGuard Malware Detection
Introducing
New FREE Malware Detection Service
- Daily scans that provide immediate insight into malware issues
- Automated alerts
- Identifying vulnerable code snippets for quick and easy removal
of malware
35
COMPANY CONFIDENTIAL
37. QualysGuard Malware Detection
Static and Behavioral Detection
Two-pronged approach for detecting malware:
- Static Analysis – using a “signature-based” approach, the
service identifies potential source code that is typically used in
malicious attacks.
- Behavioral Analysis – the service visits the web site with a
vulnerable browser and operating system and runs tests to
determine if the web site behaves outside of normal operating
guidelines.
36
COMPANY CONFIDENTIAL
39. QualysGuard Malware Detection
Pricing and Availability
Pricing
FREE for ALL (up to 10 domains per user account)
Availability
Available today in Beta:
http://www.qualys.com/STOPMALWARE
38
COMPANY CONFIDENTIAL
41. Qualys GO SECURE Service and Seal
Introducing
40
COMPANY CONFIDENTIAL
42. Qualys GO SECURE Service and Seal
Types of Scans
① Malware Detection (Daily)
Detects malicious software that could be hosted by the web site and infect
visitors
② Perimeter Scanning (Weekly)
Identifies externally facing vulnerabilities of the web server that could give
attackers access to information stored on the host
③ Web Application Scanning (Weekly)
Crawls and injects HTTP requests to the web application to identify
vulnerabilities such as SQL injection and Cross-Site Scripting (XSS)
④ SSL Certificate Validation (Weekly)
Verifies the web site is using an up-to-date SSL certificate from a trusted
certificate authority (CA) for encryption of sensitive information during online
transactions
41
COMPANY CONFIDENTIAL
43. Qualys GO SECURE Service and Seal
Review and Remediation of Malware & Vulns
42
COMPANY CONFIDENTIAL
44. Qualys GO SECURE Service and Seal
Qualys SECURE Seal – How It Works?
Merchant adds SECURE seal code to
their web site to display seal to visitors
Remediation and Removal
Merchant schedules the scans to run automatically on web site on a recurring
basis (daily for malware, weekly for vulns and SSL cert validation)
- Merchant is notified once malware or vulnerabilities are identified, or SSL cert
no longer valid
Customer resolves the malware/vulnerabilities found to continually
show the seal to customers
- Seal is removed within 72 hrs if malware or a critical vulnerability is identified
- Merchant can fix and rescan to revalidate the seal at any time
43
COMPANY CONFIDENTIAL
45. Qualys Freemium Services
More than just “free” services …
freescan.qualys.com
www.qualys.com/stopmalware
www.ssllabs.com
https://browsercheck.qualys.com
https://community.qualys.com/docs/DOC-1351