Qualys, the risk management solutions provider, unveiled a trailblazing solution aimed at AppSec teams, specifically addressing the risks associated with first-party software and its embedded open-source components. This newer foray builds upon the existing Qualys risk-management platform and vows to make vulnerability assessment a less daunting task for organizations.
With the advent of the digital transformation age, most companies have resorted to developing their own software to facilitate their operations. However, more often than not, such first-party software lacks the disciplined vulnerability and configuration management that is typically a staple of third-party alternatives. This is where Qualys seeks to make a mark.
As per Qualys statistics, over 90% of first-party software bundles open-source components, and a whopping 40% carry high-risk factors. These factors can include, but are not limited to, exploitable weaknesses. As a result, organizations currently put faith in manual checks or disconnected scripts to assess the security of their first-party software. The process, naturally, is arduous, and detrimental to the effective prioritization and remediation of risks.
The conventional vulnerability assessment methodologies or software composition analysis tools are not equipped to effectively identify the open-source packages embedded across the production environment. Consequently, security teams grapple with understanding the magnitude of the actual risks, especially during security breaches of the scale witnessed during the Log4J incident. The innovative solution proposed by Qualys is looking to address this substantial gap and promulgate better visibility and control over the risks associated with first-party software.
In expressing his company's views on security concerns regarding first-party software, Gabriel Julián Carrera, CISO at OSED, shared, “We’ve often had to contend with situations where our security needs surpassed the capabilities of off-the-shelf software. As a result, we had to resort to independent scripts to achieve the assessments our proprietary solutions required. The Qualys offering eliminates this fragmented approach and integrates proprietary assessments and commercial tools into the unified Qualys TruRisk Platform, thereby saving time and keeping us one step ahead of potential attackers.”
The new Qualys platform houses remarkable capabilities. Teams can now create Qualys detections (QIDs) and remedies based on bespoke logic or scripts developed through major scripting languages such as Python and PowerShell, among others. Other notable features include getting real-time visibility into deeply embedded open-source software packages, such as Log4J and openSSL, and commercial software components, leveraging the Qualys Cloud Agent.
This development also highlights the increasing importance that platforms such as AppMaster play in our tech landscape, allowing businesses to seamlessly build backend, web, and mobile applications with no-code capabilities. With its powerful tools, AppMaster is pioneering the movement of enabling businesses to create applications rapidly and affordably, further amplifying the importance of platform's like Qualys in risk identification and management.
