Guides and Whitepapers

Read our complimentary guides, whitepapers, briefs, webcasts and more.

Vulnerability Management

FEATURED RESOURCES:

Vulnerability Management for Dummies

Vulnerability Management for Dummies arms you with the facts and shows you how to implement a successful Vulnerability Management program. Whether your network consists of just a handful of computers or thousands of servers distributed around the world, this 5-part book will help:

  • Explain the critical need for Vulnerability Management (VM)
  • Detail the essential best-practice steps of a successful VM Program
  • Outline the various VM Solutions - including the pros & cons of each
  • Highlight the award-winning QualysGuard VM solution
  • Provide a 10-point checklist for removing vulnerabilities from your key resources
Whitepaper:
Responding to the New Information Risk Landscape

Responding to the New Information Risk Landscape

Overview:

By David Lacey, Co-Founder, Jericho Forum

Social networks, data mining and Cloud computing are transforming the scale, exposure and control of our data. As a result, security is becoming harder to manage, threats are growing in sophistication and impact, and regulators are threatening greater penalties for data breaches. Yesterday's security solutions do not meet today's unprecedented security challenges and to survive, a fresh approach to information risk management must be adopted.

This paper analyses the trends and changing priorities of the emerging information security landscape, setting out a new action agenda for managing future information risks across a volatile and increasingly externalised business environment.

Whitepaper:
Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard

Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard

Overview:

Independent author Tim Proffitt writes his thesis, as part of his GIAC certification requirements, on how large companies should implement a Vulnerability Assessment Program using QualysGuard. The white paper is hosted in the SANS Institute Reading Room, and provided by SANS as a resource to benefit the security community at large.

In this paper Tim Profitt provides a step-by-step guide for implementing a Vulnerability Assessment Program using QualysGuard. Topics include:

  • What is Vulnerability Assessment?
  • Introduction to QualysGuard
  • Creating Security Policies and Controls
  • Categorization of Assets
  • Discovery of Assets
  • Host and Asset Configuration
  • Configuring Scanning Details
  • Report on Your Results
  • Rank Your Risks and Remediate
  • Handling Verification and False Positives
  • Compliance and Life Cycles
Whitepaper:
The Need for Vulnerability Management

The Need for Vulnerability Management

Overview:
This guide describes the need for vulnerability management. It introduces the sources of vulnerabilities and their related fallout, then relates why the nature of modern threats to the network requires automated technology to counter sophisticated exploits. The guide defines elements of vulnerability management and how it controls the detection and remediation process. As an important byproduct, vulnerability management can also document compliance with security provisions mandated by legislation, industry and business policy. Vulnerability management can be implemented for networks of all sizes with cost-effective technology that automates much of what used to be a complex, manual process.
Whitepaper:
7 Essential Steps to Achieve, Measure and Prove Optimal Security Risk Reduction

7 Essential Steps to Achieve, Measure and Prove Optimal Security Risk Reduction

Overview:

Whether protecting 5 servers or 5,000, organizations must be able to:

  1. Measure the security status of their infrastructure
  2. Continuously monitor and mitigate emerging threats

This paper details the essential aspects of putting into place a measurable and sustainable vulnerability management program.

Whitepaper:
Dynamic Best Practices of Vulnerability Management

Dynamic Best Practices of Vulnerability Management

Overview:

Yankee Group research reveals best practices in proactively identifying and correcting network weaknesses. Guidelines are based on Qualys' "Laws of Vulnerabilites" research.

Whitepaper:
Business Enablement with On Demand Vulnerability Management

Business Enablement with On Demand Vulnerability Management

Overview:

This whitepaper discusses the challenges of security in today's business world and provides insight into the value of an on demand Web based service for vulnerability assessment. It closes with summary information and feedback regarding the QualysGuard service, as compiled from Qualys customers.

Whitepaper:
4 Key Steps to Automate IT Security Compliance

4 Key Steps to Automate IT Security Compliance

Overview:

A Unified Approach for IT, Audit and Operation Teams

This paper provides a detailed discussion of the internal and external regulatory challenges now faced by organizations, the scope of these challenges, and 4 key ways in which they can be addressed through better business processes and automation.

Whitepaper:
Justifying IT Security

Justifying IT Security

Overview:

Managing Risk & Keeping Your Network Secure

The goal of a security program is to choose and implement cost effective countermeasures that mitigate the vulnerabilities that will most likely lead to loss.

This paper discusses the management of Risk and how Vulnerability Management is one of the few counter-measures easily justified by its ability to optimize risk.

Guide:
The Top 10 Reports for Managing Vulnerabilities

The Top 10 Reports for Managing Vulnerabilities

Overview:

New network vulnerabilities appear constantly and the ability for IT security professionals to handle new flaws, fix misconfigurations and protect against threats requires constant attention. However, with shrinking budgets and growing responsibilities, time and resources are at constrained. Therefore, sifting through pages of raw vulnerability information yields few results and makes it impossible to accurately measure your security posture.

This paper cuts through the data overload generated by some vulnerability detection solutions and introduces The Top 10 Reports for Managing Vulnerabilities. This free guide covers the key aspects of the vulnerability management lifecycle and shows you what reports today's best-in-class organizations are using to reduce risks on their network infrastructure.

Guide:
Strengthening Network Security with On Demand Vulnerability Management & Policy Compliance

Strengthening Network Security with On Demand Vulnerability Management & Policy Compliance

Overview:

Despite defensive efforts with firewalls, intrusion detection, antivirus and the like, criminals, careless employees and contractors have exposed more than 158 million digital records of consumers' personally identifiable information since 2005. This security guide describes the requirements and on demand software-as-a-service (SaaS) solution called QualysGuard for effective vulnerability management and policy compliance.

Guide:
Effective Remediation of Network Vulnerabilities & Policy Compliance

Effective Remediation of Network Vulnerabilities & Policy Compliance

Overview:

Consistent, ongoing execution of vulnerability management and policy compliance is difficult, if not impossible to do on a manual basis. There are simply too many "moving parts" to juggle and act on in a timely and cost-effective manner. This guide provides a step-by-step guide for automating the vulnerability and compliance workflow process.

8 step vulnerability and compliance workflow:

  1. Create security policies and controls
  2. Track inventory and categorize assets
  3. Scan systems for vulnerabilities
  4. Compare vulnerabilities against inventory
  5. Classify and rank risks
  6. Pre-test patches, fixes and workarounds
  7. Apply patches, fixes and workarounds
  8. Re-scan to confirm fixes and verify compliance
Guide:
Vulnerability Management Buyer's Checklist

Vulnerability Management Buyer's Checklist

Overview:

Key Questions to Ask Before You Select a VM Solution

Choosing a solution for Vulnerability Management (VM) is a critical step toward protecting your organization's network and data. Without proven, automated technology for precise detection and remediation, no network can withstand the daily onslaught of new vulnerabilities that threaten security.

To help finalize your decision on which solution to buy, Qualys provides this 12-point short list of considerations that will help you determine what will work best for your organization.

Brief:
Vulnerability and Policy Management for NERC Compliance

Vulnerability and Policy Management for NERC Compliance

Overview:

NERC Standards are a U.S. regulation for managing the Critical Cyber Assets of Bulk Electric Systems. CIP-002 through CIP-009 provides a cyber security framework for the identification and protection of these assets, and supports reliable operation of the Bulk Electric System. This brief explains how on demand vulnerability and policy management can ensure NERC compliance.

Demo:
Vulnerability Management & Policy Compliance Overview

Vulnerability Management & Policy Compliance Overview

Overview:
Watch a quick introduction to Qualys' vulnerability management and policy compliance solutions.

Policy Compliance

FEATURED RESOURCES:

IT Policy Compliance for Dummies

This book is a quick guide to understanding IT policy compliance. It surveys the best steps for preparing your organization's IT operations to comply with laws and regulations - and how to prove compliance to an auditor.

In this book you will discover:

  • What IT policy compliance is all about
  • How laws and regulations govern compliance
  • Ten best practices
  • How automation can ease compliance and save money

Strengthening Network Security with On Demand Vulnerability Management & Policy Compliance

Despite defensive efforts with firewalls, intrusion detection, antivirus and the like, criminals, careless employees and contractors have exposed more than 158 million digital records of consumers' personally identifiable information since 2005. This security guide describes the requirements and on demand software-as-a-service (SaaS) solution called QualysGuard for effective vulnerability management and policy compliance.

Guide:
Effective Remediation of Network Vulnerabilities & Policy Compliance

Effective Remediation of Network Vulnerabilities & Policy Compliance

Overview:

Consistent, ongoing execution of vulnerability management and policy compliance is difficult, if not impossible to do on a manual basis. There are simply too many ""moving parts"" to juggle and act on in a timely and cost-effective manner. This guide provides a step-by-step guide for automating the vulnerability and compliance workflow process.

8 step vulnerability and compliance workflow:

  1. Create security policies and controls
  2. Track inventory and categorize assets
  3. Scan systems for vulnerabilities
  4. Compare vulnerabilities against inventory
  5. Classify and rank risks
  6. Pre-test patches, fixes and workarounds
  7. Apply patches, fixes and workarounds
  8. Re-scan to confirm fixes and verify compliance
Whitepaper:
Using Qualysguard To Meet Sox Compliance & IT Control Objectives

Using Qualysguard To Meet Sox Compliance & IT Control Objectives

Overview:

This paper outlines how organizations can use the CobiT framework to assess the effectiveness of an organization's internal control as a means to achieve compliance with Section 404 of the Sarbanes-Oxley act.

Whitepaper:
EU Compliance and Regulations for the IT Security Professional

EU Compliance and Regulations for the IT Security Professional

Overview:

The growth of compliance requirements over the past few years has sometimes been seen as a US-based phenomenon as regulations are implemented to address various corporate failures and scandals over the past decade or so. In fact, compliance, rules and regulations to protect data stored by EU-based organisations can be just as onerous as those originating from the US.

This paper highlights key directives and legislation as it affects the member states of the EU.

Guide:
HIPAA Guide

HIPAA Guide

Overview:

The Health Insurance Portability and Accountability Act has had substantial impact on the healthcare industry. Our free guide explains how on demand security audits make HIPAA compliance easier to achieve.

Guide:
GLBA Guide

GLBA Guide

Overview:

Security provisions of GLBA are complex and process intensive. Our free guide explains how on demand security audits make GLBA compliance easier to achieve.

Guide:
FISMA Guide

FISMA Guide

Overview:

Becoming FISMA compliant can be challenging. To help you overcome the pitfalls faced by all agencies, we've put together a step-by-step guide to ease compliance and help you make the grade. When you download our complimentary guide, you will learn:

How FIMSA is Defined

Receive detailed information on the major requirements of FISMA and how to implement a best practice based approach to overcome common challenges.

How QualysGuard Supports FISMA Compliance

See how QualysGuard's tailored solution meets each of the FISMA requirements and delivers the proper reports so you can achieve indisputable compliance.

How QualysGuard Automates Compliance

Learn how QualysGuard's on demand solution provides an automated solution so you're always in control of your network security - even during fast-moving worm and virus attacks.

Guide:
SB 1386 Guide

SB 1386 Guide

Overview:
Prevention of security breaches is vital. Download our free guide to learn more about compliance with SB1386.
Guide:
Avoiding 7 Common Mistakes of IT Security Compliance

Avoiding 7 Common Mistakes of IT Security Compliance

Overview:

Currently, there is no single standard framework that explicitly defines what your organization must do for compliance. A big challenge for IT security professionals is navigating this ambiguity and achieving the organization's compliance goals effectively and on budget.

This guide covers seven typical IT security compliance errors and outlines the best practices you can immediately apply to your environment to help your company achieve compliance.

Brief:
Vulnerability and Policy Management for NERC Compliance

Vulnerability and Policy Management for NERC Compliance

Overview:
NERC Standards are a U.S. regulation for managing the Critical Cyber Assets of Bulk Electric Systems. CIP-002 through CIP-009 provides a cyber security framework for the identification and protection of these assets, and supports reliable operation of the Bulk Electric System. This brief explains how on demand vulnerability and policy management can ensure NERC compliance.

PCI Compliance

FEATURED RESOURCES:

PCI Compliance for Dummies

Complying with the PCI Data Security Standard may seem like a daunting task for merchants. This book is a quick guide to understanding how to protect cardholder data and comply with the requirements of PCI - from surveying the standard's requirements to detailing steps for verifying compliance.

PCI Compliance for Dummies arms you with the facts, in plain English, and shows you how to achieve PCI Compliance. In this book you will discover:

  • What the Payment Card Industry Data Security Standard (PCI DSS) is all about
  • The 12 Requirements of the PCI Standard
  • How to comply with PCI
  • 10 Best-Practices for PCI Compliance
  • How QualysGuard PCI simplifies PCI compliance

PCI Data Security Standards - What You Need to Know

This 20 minute audiocast provides answers to Merchants regarding:

  • Why We Need PCI?
  • Cost of Data Breaches vs. Network Protection
  • Consume Data and Why Fraud Rates Are Rapidly Rising
  • How Much PCI Compliance Costs?
  • What Are the Top Technical Challenges in Achieving PCI Compliance?
  • How Should Merchants Prioritize Their PCI Compliance Efforts?
  • What Are the 3 Main Lessons Learned Regarding PCI Compliance?
Whitepaper:
Winning the PCI Compliance Battle

Winning the PCI Compliance Battle

A Guide for Merchants and Member Service Providers

This white paper reviews the basics of PCI, including who must comply, compliance requirements, validation requirements and penalties. It also examines key things to look for when selecting a PCI network testing service and introduces QualysGuard PCI.

Topics in this white paper include:

  • Compliance Requirements of the PCI Data Security Standard
  • Participation and Validation Requirements
  • Selecting a PCI Network Security Testing Service
  • Automating the PCI Validation Process with QualysGuard PCI
Brief:
Meeting Vulnerability Scanning Requirements for PCI

Meeting Vulnerability Scanning Requirements for PCI

Overview:
The credit card industry is stepping up efforts to strengthen cardholder data security by raising member validation requirements for compliance with the Payment Card Industry Data Security Standard (PCI-DSS). As part of these requirements, both internal and external network scanning play a critical role in achieving compliance. This security guide describes the scanning requirements for PCI-DSS and provides a quick-reference requirements matrix for both Merchants and Service Providers of all levels.
Demo:
QualysGuard PCI Demo

QualysGuard PCI Demo

Overview:
See how QualysGuard PCI makes achieving compliance with the PCI Data Security Standard easy and cost effective.

Web Application Scanning

Guide:
Web Application Security — How to Minimize Prevalent Risk of Attacks

Web Application Security — How to Minimize Prevalent Risk of Attacks

Overview:

Vulnerabilities in web applications are now the largest vector of enterprise security attacks. Stories about exploits that compromise sensitive data frequently mention culprits such as "cross-site scripting," "SQL injection," and "buffer overflow." Vulnerabilities like these fall often outside the traditional expertise of network security managers.

To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security. The guide covers:

  • typical web application vulnerabilities
  • comparison of options for web application vulnerability detection
  • QualysGuard Web Application Scanning solution
Whitepaper:
Building a Web Application Security Program

Building a Web Application Security Program

Author
Rich Mogul (Securosis, LLC)
Overview:

Current web applications exist in an environment markedly different from the early days of businesses entering the Internet. They have become essential tools interconnecting organizations in ways never anticipated when the first web browsers were designed. These changes have occurred so rapidly that, in many ways, we've failed to adapt operational processes to meet current needs. This is particularly apparent with web application security, where although most organizations have some security controls in place, few organizations have comprehensive web application security programs.

This detailed report shows how to build a pragmatic web application security program that constrains costs while still providing effective security.