Tag Archives: Qualys

Asset Inventory for Internal Network: problems with Active Scanning and advantages of Splunk

8 Replies

Asset Inventory for Internal Network: problems with Active Scanning and advantages of Splunk. In the previous post, I was writing about Asset Inventory and Vulnerability Scanning on the Network Perimeter. Now it’s time to write about the Internal Network.

Typical IT-infrastructure of a large organization

I see a typical IT-infrastructure of a large organization as monstrous favela, like Kowloon Walled City in Hong Kong. At the beginning it was probably wisely designed, but for years it  was highly effected by spontaneous development processes in various projects as well as multiple acquisitions. And now very few people in the organization really understand how it all works and who owns each peace.

There is a common belief that we can use Active Network Scanning for Asset Inventory in the organization. Currently, I’m not a big fan of this approach, and I will try to explain here the disadvantages of this method and mention some alternatives.

Continue reading

Qualys Security Conference Virtual 2018. New Agents, Patch Management and Free Services

2 Replies

Qualys Security Conference Virtual 2018. New Agents, Patch Management and Free Services. Today I attended a very interesting online event – Qualys Security Conference Virtual 2018. It consisted of 11 webinars, began at 18:00 and will end at 03:45 Moscow time. Not the most convenient timing for Russia, but it was worth it. 🙂

Qualys Security Conference 2018

Last time I was at offline QSC event in 2016, so for me it was especially interesting to learn about the new features of Qualys platform.

Continue reading

PHDays8: Digital Bet and thousands tons of verbal ore

3 Replies

PHDays8: Digital Bet and thousands tons of verbal ore. It’s time to write about Positive Hack Days 8: Digital Bet conference, which was held May 15-16 at the Moscow World Trade Center. It was the main Russian Information Security event of the first half of 2018. More than 4 thousand people attended! More than 50 reports, master classes and round tables held in 7 parallel streams. And, of course, impressive CTF contest for security experts and hackers with an fully-functioning model of the city.

Hack Days 8: Digital Bet

I was very pleased that there was a separate section dedicated to Vulnerability Management. Something similar happened only at ISACA meetup last year. But here we had an event for several thousand people!

The session was held in Fast Track format: 20 minutes for the presentation and questions. I was the first to speak. My report was called “Vulnerability Databases: sifting thousands tons of verbal ore”. Here is the video:

And here’s a link to the version with only Russian sound track.

Continue reading

A few words about Gartner’s “Magic Quadrant for Application Security Testing” 2018

Leave a reply

A few words about Gartner’s “Magic Quadrant for Application Security Testing” 2018. February and March are the hot months for marketing reports. I already wrote about IDC and Forrester reports about Vulnerability Management-related markets. And this Monday, March 19, Gartner released new “Magic Quadrant for Application Security Testing”. You can buy it on the official website for $ 1,995.00 USD or download it for free from the vendor’s sites. For example, Synopsys or Positive Technologies. Thank you, dear vendors, for this opportunity!

I’m not an expert in Application Security. I am more in Device Vulnerability Assessment (IDC term) or Vulnerability Management. However, these field are related. And well-known Vulnerability Management vendors often have products or functionality for Web Application scanning and Source Code analysis as well. Just see Qualys, Rapid7 and Positive Technologies at the picture!

Gartner AST MQ 2018

I have already mentioned in previous posts that grouping products in marketing niches is rather mysterious process for me. For example, Gartner AST niche is for SAST, DAST and IAST products:

  • SAST is for source code or binary analysis
  • DAST is basically a black box scanning of deployed applications. it can be also called WAS (Web Application Scanning)
  • IAST is a kind of analysis that requires agent in the test runtime environment. Imho, this thing is still a pretty exotic.

As you can see, these are very different areas. But, the market is the same – AST.

Continue reading

My short review of “The Forrester Wave: Vulnerability Risk Management, Q1 2018”

5 Replies

My short review of “The Forrester Wave: Vulnerability Risk Management, Q1 2018”. Last week, March 14, Forrester presented new report about Vulnerability Risk Management (VRM) market. You can purchase it on official site for $2495 USD or get a free reprint on Rapid7 site. Thanks, Rapid7! I’ve read it and what to share my impressions.

Forrester VRM report2018

I was most surprised by the leaders of the “wave”. Ok, Rapid7 and Qualys, but BeyondTrust and NopSec? That’s unusual. As well as seeing Tenable out of the leaders. 🙂

The second thing is the set of products. We can see there traditional Vulnerability Management/Scanners vendors, vendors that make offline analysis of configuration files and vendors who analyse imported raw vulnerability scan data. I’m other words, it’s barely comparable products and vendors.

Continue reading

My short review of “IDC Worldwide Security and Vulnerability Management Market Shares 2016”

2 Replies

My short review of “IDC Worldwide Security and Vulnerability Management Market Shares 2016”. On February 12 IDC published new report about Security and Vulnerability Management market. You can buy it on the official website for $4500. Or you can simply download free extract on Qualys website (Thanks, Qualys!). I’ve read it and now I want to share my impressions.

IDC Worldwide Security and Vulnerability Management Market Shares 2016

I think it’s better start reading this report from the end, from “MARKET DEFINITION” section. First of all, IDC believe that there is a “Security and Vulnerability Management” (SVM) market. It consists of two separate “symbiotic markets”: security management and vulnerability assessment (VA).

Continue reading

Kenna Security: Analyzing Vulnerability Scan data

6 Replies

Kenna Security: Analyzing Vulnerability Scan data. I’ve been following Kenna Security (before 2015 Risk I/O) for a pretty long time. Mainly, because they do the things I do on a daily basis: analyse various vulnerability scan results and feeds, and prioritize detected vulnerabilities for further mitigation. The only difference is that my scripts and reports are highly specific for my employer’s infrastructure and needs. And guys from Kenna team make a standardized scalable cloud solution that should be suitable for everyone.

I think their niche is really great. They do not compete directly with Vulnerability Management vendors. They can be partners with any of them, bringing additional features to the customers. Perfect win-win combination. That’s why Kenna speakers regularly participate in joint webinars with VM vendors.

I couldn’t lose a great opportunity to see Kenna Security service in action. 😉

In this post I will try to make a very brief review of Kenna functionality and formulate pros and cons of the solution.

When you submit trial request at https://www.eu.kennasecurity.com/signup (or https://app.kennasecurity.com/signup if you are not in Europe) you will get a link to your company account:

https://corporation.eu.kennasecurity.com/

The login screen will look like this:

Kenna login

Continue reading