Qualys Introduces Groundbreaking Solution to Manage First-Party Software Risks

Qualys Announces Opening of Risk Management Platform to AppSec Teams to Assess and Remediate First-Party Software Risks

Risk in First-Party Software

In the digital transformation era, organizations rely heavily on their own software to run their businesses. However, this first-party software often lacks the disciplined vulnerability and configuration management practices used for third-party software, making it susceptible to security risks. Studies show that over 90% of first-party software includes open source components, and more than 40% contain high risks such as exploitable vulnerabilities. Current security practices, including manual checks and siloed scripts, fall short in evaluating the security of first-party software, impeding effective risk assessment and remediation. Traditional vulnerability assessment or software composition analysis tools also fail to detect the presence of embedded open source packages across the production environment. This poses challenges for security teams in comprehending the true risk and prioritizing remediation efforts, especially in the wake of security breaches like the Log4J incident.

The Role of Qualys

To address these challenges, Qualys, Inc., a provider of cloud-based IT, security, and compliance solutions, has announced the opening of its risk management platform to application security (AppSec) teams. This allows them to bring their own detections and remediation scripts, developed using popular languages like PowerShell and Python, to the Qualys Vulnerability Management, Detection and Response (VMDR) platform. These scripts, called Qualys ID (QIDs), are executed securely by the Qualys Cloud Agent and integrated into the same workflow and reporting as used for third-party software findings. The new solution, called Qualys TruRisk, empowers application and security teams to leverage their own detections to assess critical vulnerabilities, identify sensitive content, assess application statuses, and mitigate risks associated with both first and third-party sources.

Benefits of Qualys‘s Solution

The capabilities offered by Qualys‘s TruRisk platform provide several benefits for organizations:

• Easily Build Your Own Signatures: Teams can create Qualys Detections (QIDs) and remediations based on their own logic or scripts using major scripting languages such as Python and PowerShell. These detections integrate directly into the VMDR workflows and TruRisk scoring, enabling SecOps teams to unify and manage risk across first and third-party applications in their environment.
• Proactively Detect, Manage and Reduce Supply Chain Risks: The Qualys Cloud Agent offers continuous, real-time visibility into deeply embedded open source software packages, including high-profile ones like Log4J and openSSL. Qualys TruRisk prioritizes and correlates this information based on data from over 25 threat feeds and the asset’s business criticality. As a result, security teams can rapidly mitigate the risk of high-profile security issues such as zero-day threats and Log4J outbreaks by crafting custom detection and responses.
• Effectively Communicate Risk with Unified Reporting and Dashboarding: The integration of Qualys TruRisk with VMDR workflows allows for the effective communication of the unified view of risk in first and third-party software to the right stakeholders through real-time dashboards and reports. Integration with ticketing systems such as ServiceNow and JIRA ensures that detailed remediation tickets are automatically assigned to the appropriate owners, providing a common view to quickly close tickets and reduce risk.

Expert Opinion and Industry Impact

Gabriel Julián Carrera, CISO at OSDE, expressed his excitement about Qualys‘s offering, stating that it eliminates the fragmented approach of using independent scripts to assess unique homegrown solutions. He believes that Qualys‘s solution will save time and help organizations stay ahead of potential attackers. Sumedh Thakar, President and CEO of Qualys, emphasized that first-party applications often lack adequate risk detection, prioritization, and remediation support from scanning tools. Qualys‘s capabilities, according to Thakar, enable organizations to identify and analyze both first-party and third-party software risks to develop an overall TruRisk score, providing a comprehensive view of an organization’s overall risk.

Recommendations and Conclusion

The announcement by Qualys marks a significant step in addressing the security risks associated with first-party software. Organizations should consider leveraging the Qualys TruRisk platform to assess and remediate these risks effectively. By bringing their own detections and remediation scripts, AppSec teams can unify the management of risk across first and third-party applications, gaining real-time visibility and prioritizing mitigation efforts. The integration of Qualys TruRisk with VMDR workflows and ticketing systems enables efficient communication and collaboration among stakeholders, facilitating the closure of tickets and reducing overall risk. Overall, organizations should prioritize implementing robust risk management practices for first-party software to ensure the security and integrity of their digital ecosystems.