Qualys on cyber challenges: still to patch is no fair match

Qualys, Inc. staged its QSC 2021 conference in Las Vegas from November 15 to 18 and the Computer Weekly Developer Network was tuned in from the ‘get-go’ to listen to what the cloud-based IT, security and compliance solutions company is tabling next.

In a slightly unusually format, Qualys president and CEO Sumedh Thakar gave way to a guest speaker for the opening session of this show.

After a session presented by Chris Krebs, former director for the Department for Homeland Security (DHS) & US Cybersecurity and Infrastructure Security Agency (CISA), Thakar took the stage to present a session entitled ‘Security Automation for the Digital Journey’.

Thakar insists that there is a pressing need for enterprises to automate specific aspects of cybersecurity and take steps to implement automation in what he calls ‘low-risk, high-reward’ situations.

Nobody on mute!

Thakar joked nicely, saying that it was refreshing to be a part of a non-Zoom meeting where none of the In Real Life (IRL) attendees actually physically in the room could claim to be ‘on mute’ during the session itself.

People talk about digital and the move to cloud like it is one thing, but it’s so much more – in total, it really includes a lot of things that all need to be accounted for and secured… and I mean everything from web applications to APIs and onwards to all the different types of SaaS environments that exist,” said Thakar.

If we think about those factors and also consider the new pressures put upon us by the move to remote working in the wake of Covid-19, Thakar asked the audience to think about the increased amount of focus that needs to be placed on remote devices and all the machines that no longer exist inside the corporate firewall.

Still to patch is no fair match

Painting a picture to describe how a real world company might function, Thakar asked us to think about a firm that might always entail working at a specific patch level – with a certain amount of updates always needing to be installed – then that kind of operational level is no longer secure enough.

We need to remember that it’s a race out there. The bad actors are trying to compromise the secure code that our enterprise software application development engineers are building… but at the same time, we are working hard to make sure that we have up to date asset inventory and tightly managed control over misconfigurations and more as we look for vulnerabilitiy detections and work to shore up threat detection intelligence,” said Thakar.

In the face of all these risks, many cyber professionals have found the time to remediate pressure so tough that many people have actually left the industry. Thakar bemoned the great cyber resignation that has played out and said that it’s time for us to think about technology and people in the same breath.

A platform-based solutions approach is needed. We’re not just talking about APIs and scripts, organisations need intelligence that will provide security automations out of the box without them having to look deeper.

Response automation situation

Thakar also talked about ‘response automation’ and the fear of breaking things.

The risk of an outage (breaking things) vs. the risk of a compromise is the calculation that organisations need to consider. If we have to kill a process and stop part of a system, we’re okay with taking that [software] ‘box’ offline once a compromise has occured and a vulnerability has been identified,” said Thakar.

With so many software vendors now releasing smaller components of software on a more continuous CI/CD basis, that further impacts the way we are architecting our software application development at a higher level. This, says the Qualys CEO has implications for the way systems are now being built.

Infrastructure-as-Code (IaC)

Qualys used its QCS 2021 event to underline a recent announcement confirming that it is adding Infrastructure as Code (IaC) scanning to its CloudView app.

This will enable detection and remediation of misconfigurations early in the development cycle, removing risk in the production environment.

Misconfigurations are often detected post-deployment, leaving companies with a much larger attack surface and more vulnerable to exploits. Increasingly, organisations are using IaC to deploy cloud-native applications and provision their cloud infrastructure.

Thus, it’s important to shift security left to identify and remediate misconfigurations at the IaC template stage. Detecting security issues earlier in the development cycle accelerates secure application delivery and fosters greater collaboration between DevOps and security teams. More importantly, it enforces better security policies in the production environment.

Using CloudView IaC Security, organisations can assure compliance with more than 20 industry mandates such as PCI, HIPAA, and NIST 800-53. This reduces the burden on the DevOps security teams and ensures a streamlined process during mandatory compliance audits.

With the addition of IaC assessment to CloudView, Qualys is extending its cloud security posture management (CSPM) solution to handle shift-left use cases,” said Thakar. “Leveraging the Qualys Cloud Platform and its integrated apps, customers can now insert security automation into all stages of their application lifecycle ensuring complete visibility into both runtime and build-time posture via a unified dashboard.”

Qualys CloudView with IaC Security is currently in beta and will be available later this year. If you would like to participate in the beta program sign up at qualys.com/iac-security-beta.

The big takeaway

If we start understanding that ‘still to patch is no fair match’ for the cyber risks that exist today, then we can create new and more secure systems that will pave the way for developers to be able to build code – with Infrastructure-as-Code foundations that is automatically checked for misconfigurations and vulnerabilities – then we can create software functionalies that are robust and potentially more effective for business (and in theory more carbon neutral as well) for the future.

Qualys CEO Thakar: Always neat on ‘gilet’ [vest] geek chic.