Qualys has been chosen as one of Deloitte's 2008 Technology Fast 500, a ranking of today's fastest growing technology, media, telecommunications and life sciences companies in North America. This industry distinction comes just several weeks after the company's most recent achievement as a Deloitte Silicon Valley Fast 50 where Qualys ranked #37 by demonstrating a five-year growth rate of 492 percent from 2003-2007. The five-year growth rate criteria was also used in selecting the Fast 500 companies placing Qualys as # 307 on the expanded list of industry notables.

"Being recognized as one of the fastest growing companies in North America is an honor that we share with our customers who from the beginning believed in our Software-as-a-Service solution for IT security and compliance management," said Philippe Courtot, Qualys CEO.  "We thank Deloitte for the ranking that underscores our efforts to help organization worldwide get a clear view on their IT security and achieve compliance."

Read More

Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 2 new vulnerabilities present in Microsoft Windows. Customers can immediately audit their networks for these and other recent vulnerabilities by accessing their QualysGuard subscription.

Microsoft released on November 11, 2 security patches to fix newly discovered flaws in Microsoft Windows. The Qualys Vulnerability R&D Lab has released the following checks for these new vulnerabilities:

- Microsoft SMB Could Allow Remote Code Execution
- Microsoft XML Core Services Remote Code Execution Vulnerability

Read Alert
Listen to Podcast

Related Coverage:
Microsoft Patches Long-Known Windows Bugs, by Gregg Keizer, Computerworld
Microsoft Doles Out Two Patches for Four Flaws, by Dan Kaplan, SC Magazine
Teed Up for November: Office, Windows Fixes, by Andy Patrizio, InternetNews.com

InformationWeek discovers how IT can implement an effective vulnerability management program that works.  

For an effective vulnerability management that works -- apply risk management principles and logic relative to the business value. IT must also engage across business units to determine a company-wide security posture that is within acceptable risk tolerance levels, create operational processes that address the computing environment as a whole, and select the right technology platforms to bolster those processes.Critical steps to break the cycle of ineffectiveness:

    Step 1: Integrate Data Collection
    Step 2: Prioritize
    Step 3: Continue to Refine

Read More

InformationWeek outlines four principles to achieve ongoing vulnerability management success:

Principle 1: Focus on Output, Not Input
Tools are only a means to an end. Data collection is a fundamental requirement for vulnerability management, but providing timely, accurate, contextual reports to appropriate individuals is critical. Many organizations develop programs that generate vast amounts of data, but struggle to make it actionable and measurable.

Principle 2: Align with Business Processes
Vulnerability management process integration with and awareness of business processes is critical to understanding enterprise risk and focusing on the areas that matter most.

Principle 3: Continue to Integrate Technologies
Incorporating change and configuration technologies will increase the reliability of data, build accurate reporting, and increase overall effectiveness in lowering enterprise risk and achieving compliance objectives.

Principle 4: Leverage Measurement and Promote Visibility
Defining key performance indicators, such as an acceptable host-to-vulnerability ratio, and using measurement tools will help focus the program on activities that will have the most impact.

Read More

The Silicon Valley Technology Fast 50 Program honors the fastest growing software and information technology companies in the San Francisco Bay Area. Don McCauley, Qualys CFO Qualys accepted this honor at The Computer History Museum on October 30th.

"We are pleased to be regarded by Deloitte as one of the fastest growing software and information technology companies in Silicon Valley," said Philippe Courtot, Qualys CEO.  "We share this recognition with our customers who understand the value of Software as a Service.  It is through the customer adoption of this innovative platform that we continue to experience growth and we extend a thank you to our customers for making this achievement possible."

Read More

Nils is responsible for security, risk management and business continuity planning, including the security of the QualysGuard platform. Additionally, with his working industry knowledge, Nils will oversee Qualys' CSO Advisory board which main charter is to collaborate with other CSOs and industry leaders to offer real-world expertise in forging and implementing security and compliance best practices.

He stated: "Qualys has differentiated itself within the industry with its SaaS delivery platform and by keeping attention focused on the needs of the customer. I am looking forward to work with the Qualys team and with other CSOs in the industry to collaborate on real-life security and compliance issues and come up with best practices to address them."

Read More

"Our partnership with Tata Communications allows them to offer their global customer base a proven, scalable and cost effective solution to help these organizations improve their security and streamline compliance initiatives. We are pleased to partner with such a world class organization and look forward to working with them" said Philippe Courtot, Qualys CEO.

John Landau, Senior Vice President of Global Managed Services for Tata Communications spoke about the company's latest launch saying  - "Effectively managing vulnerabilities to best-practice levels, in-house, is an expensive and difficult undertaking for businesses of any size. Mistakes can lead to crippling service downtime, potential data corruption, and the risk of being non-compliant. Tata's vulnerability management service helps organizations wrap their arms around which critical systems need patching at a drastically reduced total cost of ownership. There is no investment in capital or special skills required. The service allows customers both large and small to offload the grinding technical and operational aspects of vulnerability management while retaining control over decision-making and the actual remediation process."

Read More

In this MarketScope report, Gartner details the challenges and tools to consider when evaluating and deploying Vulnerability Assessment technologies. MarketScope includes Gartner's vendor rating where Qualys received the highest possible rating ('Strong Positive').

Read Report

This talk will examine how the adoption of Web 2.0 and consumer technologies impact application security and how you should respond to the new requirements. Topics covered:

• Global trends and the enterprise security impact of Web 2.0 adoption, de-perimeterization, and the consumerization of corporate IT.
• Steps information security professionals can follow to strengthen application security, especially in an open and collaborative environment.
• An overall application security maturity model, and steps to create best-practices for application security.

Register

As an honoree of Information Security's Security 7 award, Michael Mucha addresses Security for the Masses highlighting his team's attention to secure collaboration and proactive investments in SaaS and other outsourcing ventures enabling focus on risks specific to the Stanford Hospital environment.

Read Essay

Hear what Qualys customers have to say about their experience with QualysGuard®.

To view the full-length interviews, visit:
http://www.qualys.com/customers/testimonials/

In a private dinner ceremony held on October 7, 2008 at the San Jose Fairmont's Club Regency, Qualys Vice President of HR, Rima Touma-Bruno was in attendance to receive the Fast 50 award.

"Being named the 36th fastest growing company in Silicon Valley is a tribute to the global adoption of our Security-as-a-Service platform and applications," said Philippe Courtot, CEO and chairman of Qualys. "We are honored that the San Jose/Silicon Valley Business Journal has recognized Qualys' growth, and in turn, highlighted the ease if use, quality, scalability and cost effectiveness that the Security-as-a-Service model uniquely provides."

Read More

QualysGuard PCI 3.0 now with a Web Application Scanning (WAS) module, combines the application's traditional compliance scanning, remediation and e-filing capabilities with automated web application scanning.  This advancement helps merchants in their efforts to effectively meet requirement 6.6 for maintaining secure web applications. Specifically, the WAS module evaluates web applications before and after deployment. This ensures that the applications are built and maintained in a secure way. Delivered via Software-as-a-Service (SaaS), the WAS module fully automates the scanning of vulnerability types within customized code and allows customers to crawl web applications, identify cross-site scripting vulnerabilities, isolate SQL injection attacks and conduct authenticated and unauthenticated scanning.

Read Press Release
Read Technical Brief

PCI DSS 1.2 represents an update to the original 12 requirements found in PCI DSS version 1.1.  The intent of the latest specification is to clarify existing requirements and provide clarification and flexibility in terms of interpretation of the standard.

• Guidance around scope of PCI DSS and elaborate on segmentation of Cardholder data environment 
• Clarification of wireless technology requirements and provide sunset date for use of WEP - All WEP implementations must be discontinued as of June 30, 2010 
• Clarification around requirement 6.6 for web application security to remove references to source code review and add use of automated assessment tools 
• Require employees that interact with cardholder data to review and accept security policy annually
• Compensating controls should now be reviewed and validated annually by a qualified assessor 
• Flexibility for incorporation of evolving technologies and threats 
• Announcement of Quality Assurance program for assessors
  

Listen to Podcast
Read Summary

Related Coverage:
Credit-Card Security Standard Issued After Much Debate, by Ellen Messmer, Network World
Payment Card Security Toughens With DSS 1.2 Release, by Jabulani Leffall, Redmond

When it comes to security, Apple isn't sitting still. Amol Sarwate, guest columnist for SC Magazine's Hot or Not column looks at some of the new features inherent in OS X 10.5 that help keep the system secure. According to Apple, these security enhancements were added to 10.5, released last fall:

• Tagging and first-run warning: Mac OS X 10.5 marks files that are downloaded to help prevent users from inadvertently running malicious downloaded applications. 
• Runtime protection: New technologies such as execute disable, library randomization, and sandboxing help prevent attacks that try to hijack or modify system software. 
• Improved firewall: After the new application firewall is activated, the firewall configures itself so that users get the benefits of firewall protection without having to understand the details of network ports and protocols.
• Mandatory access control: These enforce restrictions on access to system resources. Not even a compromised "root" user can change some settings.
• Application signing: This enables users to verify the integrity and identity of applications on the Mac. 
• Improved secure connectivity: Virtual private network (VPN) support has been enhanced to connect to more of the most popular VPN servers-without additional software.
  

Read More

The recognition also highlights Qualys as the 25th-fastest growing security company. With 323 percent sales growth over the last three years, Qualys continues to benefit from the increased adoption of its Security-as-a-Service model by large enterprises to SMBs worldwide.

Read More

The Frost & Sullivan award honors Qualys for its exceptional long-term growth strategy and credits the Company as "a crucial force in furthering the acceptance of Software-as-a-Service (SaaS) products."

"As the market shows signs of maturity, Qualys' ability to increase market share, grow at consistently high rates and retain an astoundingly high percentage of its impressive customer base solidifies its leading role in the vulnerability management market. In a million-dollar breach reality, the reliability of QualysGuard and the appeal of its SaaS delivery model sets the company apart in a very highly-competitive market," says Chris Rodriguez, research analyst with Frost & Sullivan.

Read More

Qualys Vulnerabilities Research Lab manager, Amol Sarwate, recently discussed Web application firewalls (WAF) for security and regulatory compliance in SC Magazine's Hot or Not feature.  In the feature, Amol provides considerations to ensure the proper WAF is chosen to fit an organizations specific needs. Readers are also pointed to the Open Web Application Security Project (OWASP) which provides an abundance of Web application security educational information including the top 10 most prevalent web application attacks.

Read More

Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 4 new vulnerabilities present in Microsoft Windows. Customers can immediately audit their networks for these and other recent vulnerabilities by accessing their QualysGuard subscription.

Microsoft released on September 9, 4 security patches to fix newly discovered flaws in Microsoft Windows. The Qualys Vulnerability R&D Lab has released the following checks for these new vulnerabilities, including:

- Microsoft Windows GDI+ Remote Code Execution Vulnerability
- Microsoft Windows Media Encoder 9 Remote Code Execution Vulnerability
- Microsoft Windows Media Player Remote Code Execution Vulnerability
- Microsoft Office Remote Code Execution Vulnerability

Read Alert
Listen to Podcast

Related Coverage:
Patch Tuesday Addresses Eight Critical Vulnerabilities, by Jennifer LeClaire. Newfactor.com

Independent author Tim Proffitt writes his thesis, as part of his GIAC certification requirements, on how large companies should implement a Vulnerability Assessment Program using QualysGuard. The white paper is hosted in the SANS Institute Reading Room, and provided by SANS as a resource to benefit the security community at large.

In this paper Tim Profitt provides a step-by-step guide for implementing a Vulnerability Assessment Program using QualysGuard, including background and recommendations on how to:

- Create Security Policies and Controls 
- Categorize Assets  
- Discover Assets  
- Configure Hosts and Assets 
- Configure Scan Details  
- Report on Your Results  
- Rank Your Risks and Remediate 
- Handle Verification and False Positives 
- Meet  Compliance

Read White Paper