What to expect from Qualys QSC 2022

After an insightful first year in 2021, the Computer Weekly Developer Network team is headed back for second helpings at Qualys QSC 2022.

With a solid focus on security issues (obviously, because Qualys is known for its work in this space), QSC is never billed as a security tech event as such.

Indeed, the bulk of last year’s editorial emanating from this show was focused on key facilitating aspects of cloud computing including Infrastructure-as-Code (IaC). This event encompasses a broad church of interests, from endpoints to edge, containers and cloud.

After all, Qualys refers to itself as a ‘provider of disruptive cloud-based IT security and compliance solutions’… not as a provider of security provisioning services.

The event itself will feature content directed at security professionals (from director to manager to engineer) and also to networking professionals, cloud management specialists and CEOs, CIOs, CTOs and CISOs… but also to DevOps practitioners and all strains of software application development programmer and architects.

Post-Covid comforts?

With last year’s event very carefully staged in light of the Covid-19 infection rate and state of world health at the time, if we are to enjoy any post-Covid (yes we know it’s still with us) comforts, then perhaps this year’s event will feature a few more (sanitized) hands-on lab sessions for the engineering-grade attendees who do make it to the show.

Staged from 7-9 November in Las Vegas, Qualys QSC Sumedh Thakar will no doubt continue his firm’s mission to ‘innovate relentlessly’ (sounds painful, but it’s not if you get it right). In practice, that should mean providing software security and systems management professionals and the whole gamut of individuals now in cloud engineering roles with a chance to meet with Qualys product experts as they come together to celebrate and learn.

Looking at the training schedule, the topics of low-code workflows and analytics will be important for the year ahead, while DevOps professionals can get into cloud misconfigurations and how to stop them, as well as container runtime security analysis.

Let’s remember, this is what Qualys likes to call the drive to stay ahead of ‘bad actors’.

CEO Thakar last year reminded us that we live in an era when the ‘quantity and impact’ of cyber-attacks are rising. As such, he wants attendees to come to the event and think about rewriting their cybersecurity playbook for the new era.

Qualys will no doubt focus on how it works with customers to deliver critical ransomware risk exposures and drive prioritised remediation workflows.

The company’s Cybersecurity Asset Management (CSAM) technology joined the Qualys Cloud Platform last year. In 2022 we have seen the company talk about some new product functionalities.

Looking at some of the recent news that Qualys will seek to showcase at this year’s show, we can see that the company used its presence at the Black Hat conference this year to explain how Qualys Cloud Platform powers a range of solutions, unifying organisations’ security playbooks through managing assets and vulnerabilities, automating remediation and taking a context driven approach to detect and respond to malicious attacks.

Alongside the product launches, the Qualys Research Team has been busy finding issues in common open source tools. This led to two PWNIE Award nominations at Black Hat for cutting-edge research, discovery and responsible disclosure of new and critical vulnerabilities PWNKIT and Oh Snap! More Lemmings. We expect more interesting discoveries out of this team over time.

Let’s ask an analyst to put this in context. “Cyber risk is becoming part of the business risk equation. Even the most advanced organisations can’t patch all the threats they uncover, which increasingly includes poorly misconfigured services,” said Michelle Abraham, research director at IDC. “Organisations must prioritise efforts that result in the maximum reduction of risk. Qualys’s approach to cyber risk management considers multiple factors like vulnerabilities and misconfigured systems, so organisations can focus on fixes that reduce their overall risk.”

At the event, then, we expect to hear more about the building blocks that developers use to build applications, and how those blocks can be put together in more secure ways. At the same time, this all has to be easy for developers to put into practice.

When it comes to preventing problems, this has to cover everything from mistakes around what containers you use and what is included in them through to not including credentials or other secrets in your cloud infrastructure set-ups.

Disclosure doubling

The doubling of disclosed vulnerabilities over the last five years, the speed at which vulnerabilities are weaponised, and the cyber talent shortage, have left teams struggling to wade through a mountain of vulnerabilities with no way to fix them all.

Security and IT teams need a new systematic approach to cut through the noise and prioritise how they will go about fixing the most critical vulnerabilities… this event will aim to provide answers to those technology professionals dreaming on road to the zero-touch patching Nirvana that they know they want to get to.