The new UI will make it much easier to access and navigate the various QualysGuard services, says Amer Deeba, chief marketing officer. Users will see a common interface whether the source of the data is external or internal scans, or cloud-based assets. The aim is to streamline workflow and provide a unified look and feel across the services.
A key new feature is dynamic, context-based administration according to user role and asset identity. QualysGuard features the ability to assign tags to any user or asset, from devices to applications, providing highly granular and automated role-based access control. New assets can be assigned automatically according to policy; so, for example, if a new IIS [Internet Information Services] server is added, it would be assigned to the admin(s) responsible for IIS vulnerability management. Or, a new application could be assigned to the appropriate security and/or development personnel.
Qualys says the UI will facilitate migration to the new platform for QualysGuard IT Security and Compliance SaaS Suite, which was announced at RSA in February. The UI is available in beta and is expected to be available for general availability before the end of the year.
Version 2 of the Web Application Scanning Service is designed to perform rapid and highly scalable (Deeba mentions one customer with some 50,000 apps) discovery and application vulnerability scanning across an enterprise. "WAS uses the power and scalability of the cloud to discover and scan applications in an automated way" Deeba says. "It's an industrial-level tool."
WAS 2.0 uses the dynamic tagging common to the QualysGuard suite to provide information prioritizing remediation based on factors such as; asset criticality, threat level and the type of vulnerability (cross-site scripting, SQL injection, etc.), and the capabilities and workflow required to fix the flaws or put mitigating controls in place. Among those controls are integration with Web application firewalls (WAFs) (Imperva and Qualys' own WAF so far).
IT is caught in a squeeze between requests for new applications, services, and device support and demands from upper management to keep budgets lean, staffing light, and operations tight. These are irreconcilable objectives as long as we spend the vast majority of our resources on legacy services. Read our report now. (Free registration required.)