Qualys is now allowing AppSec teams to leverage their risk management platform to assess, prioritize, and address the risks associated with first-party software and its embedded open-source components.
In the digital transformation era, organizations develop their own software to run their businesses. However, first-party software often lacks the same level of disciplined vulnerability and configuration management practices found in third-party software. Studies have revealed that over 90% of first-party software includes open-source components, with more than 40% containing high-risk factors like exploitable vulnerabilities, according to Qualys in a post.
Currently, application and security operations teams rely on manual checks or siloed scripts to evaluate the security of first-party software. This approach leads to ad-hoc security assessments that hinder the effective prioritization and remediation of risks, the company added.
Additionally, traditional vulnerability assessment or software composition analysis tools do not adequately detect the presence of embedded open-source packages across the production environment. As a result, security teams struggle to comprehend the true risk, especially during security breaches like the Log4J incident. Qualys’ new solution addresses these challenges and provides better visibility and control over the risks associated with first-party software and its use of open-source components.
“In our complex enterprise environment, we’ve often encountered situations where our security needs surpassed the capabilities of off-the-shelf software,” said Gabriel Julián Carrera, CISO at OSED. “Consequently, we’ve resorted to pulling together independent scripts to achieve the assessments our unique homegrown solutions require. Qualys’ new offering eliminates this fragmented approach by seamlessly integrating our proprietary assessments and commercial tools into one unified Qualys TruRisk Platform saving us time and helping us stay ahead of potential attackers.”
The new Qualys platform capabilities allow teams to create Qualys detections (QIDs) and remediations based on your own logic or scripts leveraging major scripting languages such as Python, PowerShell and others, get continuous, real-time visibility into deeply embedded open source software packages, such as Log4J, openSSL and commercial software components leveraging the Qualys Cloud Agent, and more.