New security risk detection feature in cloud resource configurations
Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading security provider of cloud-based IT, security and compliance solutions, announces that it is expanding its CloudView app with Infrastructure as Code (IAC) scans. This enables the detection and correction of misconfigurations at an early stage of the development cycle and thus eliminates risks in the production environment.
As explained in the (ISC)2 Cloud Security Report 2021, the biggest danger for security experts in public clouds is the incorrect configuration of resources. Misconfigurations are often only discovered after deployment, which gives companies a much larger attack surface and makes them more vulnerable to attacks. Companies are increasingly using IaC to implement cloud-native applications and deploy their cloud infrastructure. Therefore, it is important to take security aspects into account as early as possible in order to detect and correct misconfigurations already in IaC Templates. Detecting security issues earlier in the development cycle accelerates the secure deployment of applications and promotes better collaboration between DevOps and security teams. More importantly, it enforces better security policies in the production environment.
“Security and risk management executives managing the security of cloud infrastructure should create secure environments to facilitate developer innovation by integrating intelligent security tools into the deployment pipelines (e.g. infrastructure-as-code [IaC]-Scanning) to detect risks at an early stage and warn of unsafe workloads before they are deployed.“ Gartner®, Cool Vendors™ in Cloud Security Posture Management, Tom Croll, Neil MacDonald, Mark Wah, Prateek Bhajanka, June 9, 2021.
Qualys CloudView enables complete transparency and security control of public cloud workloads and now evaluates IaC templates for misconfigurations. IaC assessments are integrated into the software development cycle to ensure that only code that meets the company’s security standards is deployed. Qualys’ cloud platform approach provides complete visibility by merging runtime and build-time posture, as well as the drift between the two, into a single view.
The new functions enable companies:
Assessment of the security situation in the entire CI/CD pipeline
Companies can now assess the security situation at an earlier stage in the development cycle and thus drastically reduce the security risk after deployment. CloudView IAC Security provides a command-line interface for performing a security assessment locally. To prevent deployment when misconfigurations are detected, plug-ins for source code repositories are also available at check-in and CI/CD platforms.
Compliance with security best practices
CloudView IAC Security makes it easy for companies to adopt the security best practices promoted by cloud platform providers. CloudView IAC Security supports popular IaC languages such as Terraform, CloudFormation (CF) and Azure Resource Manager (ARM). In addition, configurations are tested against thousands of security best practices set by Amazon Web Services, Azure, Google Cloud Platform, and standard bodies such as the Center for Internet Security. In addition, CloudView automatically provides suggestions for a remedy if a non-compliant configuration is detected.
Sumedh Thakar, President and CEO of Qualys
Ensuring compliance with industry requirements
With CloudView iac Security, companies can ensure compliance with more than 20 industry regulations such as PCI, HIPAA and NIST 800-53. This reduces the burden on DevOps security teams and ensures an optimized process for mandatory compliance audits.
“By extending CloudView with the IaC rating, Qualys is extending its Cloud Security Posture Management (CSPM) solution to handle shift-left use cases,” says Sumedh Thakar, President and CEO of Qualys . “By leveraging the Qualys Cloud platform and its integrated apps, customers can now implement security automation at all stages of their applications’ lifecycle, ensuring complete visibility into both runtime and build time through a unified dashboard.“
GARTNER and COOL VENDORS are registered trademarks and service marks of Gartner, Inc. and/or its subsidiaries in the United States and internationally and are used here with permission. All rights reserved.