Qualys Introduces Policy Compliance to Widely Adopted On Demand Vulnerability Management Platform

Redwood City, CA — April 18, 2005 — Qualys Inc., the leading provider of on demand vulnerability management and policy compliance solutions, today announced its spring release, QualysGuard® 4.0, introducing a policy compliance software development kit (SDK) and application library, a self-service MasterCard SDP module, and a real-time executive dashboard. The new version of QualysGuard now allows security managers to audit and enforce internal and external policies, on demand, without the cost and complexity associated with enterprise software.

“Regulations such as the Sarbanes-Oxley Act and Basel II have pushed compliance to the forefront of the executive’s agenda,” said Andreas Wuchner-Bruehl, head of global IT security at Novartis AG (NYSE: NVS), a world leader in pharmaceuticals and consumer health. “As a result, much of the burden now falls on IT professionals to assure the privacy and accuracy of company data. In this environment, security managers must tie their vulnerability management and security auditing practices to broader corporate risk and compliance initiatives.”

Policy Compliance SDK and Application Library
Qualys has developed a library of pre-built applications that allow customers to determine the security status of specific corporate assets and compare them to internal policies and external standards. The library, which leverages new and existing APIs to extend the reach of the QualysGuard platform, currently includes more than 15 applications with new applications being developed and delivered weekly to customers.

Qualys has also developed a policy compliance SDK that allows customers to create custom applications based on their unique requirements. Qualys MSSP and consulting partners can utilize the SDK to easily create their own compliance applications to differentiate their QualysGuard-based services.

A sample of Qualys’ policy compliance application library includes:

• Regulatory Reporting — QualysGuard 4.0 enables companies to develop custom reports to automate and ease compliance for Sarbanes-Oxley, HIPAA, GLBA and others. With this application, customers can audit their network to identify any instances that do not conform to set standards, manage the remediation process and create customized reports that provide an unalterable audit trail.
• Internal Policy Auditing — In addition to complying with external regulations, companies must also uphold their IT policies. This application provides security managers with a quick and easy way to audit internal practices such as password length and access control permissions.
• Rogue & Wireless Device Discovery — The introduction of unknown or unauthorized wireless devices onto the network can present significant security risks. QualysGuard’s device discovery application enables security and operations teams to identify devices that are unauthorized on the network or do not meet corporate standards.
• Software Inventory — Managing software distribution and license maintenance is fundamental to ensuring network systems are in alignment with security policies. The software inventory application allows customers to identify and determine the status of all software installed in their environment to find expired software licenses and outdated versions of software such as missing or outdated antivirus software.

For example, Novartis has leveraged the policy compliance SDK to develop a custom Sarbanes-Oxley and Basel II compliance application called SeTraSys that continuously monitors and reports on the actual security level of their systems to verify compliance with the security aspects of these regulations. Leveraging QualysGuard to automate these procedures ensures ‘always-on’ process controls that have helped Novartis streamline its compliance processes. Additional information on the application is available at www.setrasys.net or by emailing info@setrasys.net.

MasterCard SDP Compliance Module
Qualys has introduced the first automated, self-service compliance solution for the MasterCard Site Data Protection (SDP) program. As an SDP approved scanning vendor, Qualys is certified to help online merchants and their consultants evaluate the security of Web sites that store credit cards data, and achieve compliance with the Payment Card Industry (PCI) Data Security Standard (MasterCard SDP, Visa CISP). Beginning June 30, 2005, MasterCard will require online merchants processing over $125,000 in monthly MasterCard gross volume to comply with its SDP regulations.

QualysGuard 4.0 includes a pre-defined scan profile that enables online merchants and their consultants to scan payment systems according to PCI requirements, a blueprint for correcting found vulnerabilities, and auto-generated compliance reports that can be submitted directly to the acquiring bank.

For more information, see also today’s announcement “Qualys Introduces MasterCard Site Data Protection Compliance Solution” at www.qualys.com/company/newsroom/newsreleases/usa/pr.php/
2005-04-18-2.

Executive Dashboard
QualysGuard 4.0 offers users a new executive dashboard to simplify security management. The dashboard provides a user-configurable, always up-to-date view of the security posture of an organization in terms that are meaningful to business managers and auditors. To view the dashboard, please visit www.qualys.com/products/release/4-0/dashboard.

The executive dashboard offers security executives an automated approach to:

• Centralize security information
• Measure network security posture
• Track patching efforts
• Prioritize scanning and patching tasks
• Demonstrate Compliance

“The value of Qualys’ vulnerability management solution is not just accurately identifying vulnerabilities; it’s prioritizing those threats, mapping them to the critical assets in our business, and managing the remediation and compliance lifecycle,” said Gary Praegitzer, network administrator at Jelly Belly Candy Company. “With the new Qualys dashboard, all of this information is available on demand at our fingertips.”

Additional Enterprise Features
QualysGuard 4.0 also includes new enterprise features, such as a new portal to search enterprise assets and hosts, scanning by vulnerability severity level, ‘quick scans’ for severity 5 and 4 vulnerabilities, and additional rights for unit managers, including business unit remediation policies and management of authentication records.

Pricing and Availability
QualysGuard 4.0 will be generally available at the end of April, 2005. The QualysGuard platform is automatically updated with all new product additions for current customers. Annual QualysGuard Express subscriptions start at $1,495 and QualysGuard Enterprise subscriptions start at $17,000 for new customers.

Pricing for the MasterCard SDP compliance module is $495 for Express customers and $2,495 for Enterprise customers.

About QualysGuard

QualysGuard is an on demand vulnerability management solution that enables organizations to assess and manage business risk. QualysGuard automates the network security auditing process across the enterprise both inside and outside the firewall, and across distributed networking environments. QualysGuard provides network discovery and mapping, asset prioritization, centralized reporting, and remediation workflow and verification. Executive-level reports allow security professionals to demonstrate effective security practices and verify compliance with data protection laws and regulations. QualysGuard’s on demand technology is far more accurate, cost effective, and easier to deploy than software-based alternatives.

About Qualys

With more than 2,000 subscribers ranging from small businesses to multinational corporations, Qualys has become the leader in on demand vulnerability management and policy compliance. The company allows security managers to strengthen the security of their networks effectively, conduct automated security audits and ensure compliance with internal policies and external regulations. Qualys’ on demand technology offers customers significant economic advantages, requiring no capital outlay or infrastructure to deploy and manage. Its distributed scanning capabilities and unprecedented scalability make it ideal for large, distributed organisations. Hundreds of large companies have deployed Qualys on a global scale, including AXA, DuPont, Hershey Foods, ICI Ltd, Novartis, Sodexho, Standard Chartered Bank and many others. Qualys is headquartered in Redwood City, California, with European offices in France, Germany and the U.K., and Asian representatives in Japan, Singapore, Australia, Korea and the Republic of China. For more information, please visit www.qualys.com.

Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.

Media Contact:
Tami Casey
Qualys
media@qualys.com