VGZ: Securing System Vulnerabilities from the Network to the Web

As Web application security threats grew more numerous and profound, VGZ extended its use of Qualys to include Web Application Security as well as Qualys Vulnerability Management.

Chances are if you reside in the Netherlands, you are familiar with the Coöperatie VGZ (VGZ). VGZ provides health insurance to more than 4.2 million customers throughout the country, operates out of 10 primary and satellite branch offices, and employs more than 2,500.

When it comes to long-term success in the insurance market, brand loyalty and trust are crucial. Today, with so much commerce running electronically on the Internet and the Web, a substantial portion of that trust resides in web applications.

Arthur Visser, senior infrastructure engineer at VGZ understands the importance of mitigating web application flaws as part of any comprehensive vulnerability management initiative. About a year ago the Arnhem-based VGZ needed a way to accurately assess the web security of its corporate sites, web applications, and customer portals built largely upon Microsoft .NET platform and Sharepoint. Many of these applications enable customers to upload their personal healthcare information, ask policy questions, view/modify their insurance policy information and more.

Visser wanted to ensure these websites and applications remained secured and highly available.

The Need to Reduce Web Application Vulnerability Risk

It’s certainly about time that more businesses, such as VGZ, get serious about the security of their web applications. Consider the findings of a recent survey, conducted by Forrester Research, Inc. Forrester found that 51% of respondents (more than 240 North American and European companies) engaged in web application development suffered at least one web-related breach. And many reported five or more breaches. Additionally, the research firm concluded that many that reported not being breached actually suffered a breach and simply were unaware.

As companies continue to develop even more web applications to serve their customers better and connect more effectively with their partners and suppliers, the challenges to secure web applications are only going to grow. And attackers have taken notice. They are targeting many of their attacks through web application vulnerabilities such as cross-site scripting, SQL injection, code execution, memory corruption, cross-site request forgery, information disclosure and many other types of attacks specific to web applications.

Automating Web Application Scanning

To address its web security needs, VGZ turned to Qualys Web Application Scanning. VGZ has been successfully leveraging Qualys Vulnerability Management for many years, with great success, and decided it would consider Qualys Web Application Scanning in hopes of similar results. It was not disappointed. “One of the deciding factors for us, in addition to the fact that Qualys Web Application Scanning was identifying flaws that we weren't finding previously, was that many of our customers also were using Qualys. Its scans are so accurate and comprehensive that there's no guesswork on the results. That made the decision a slam dunk for us,” Visser says.

As part of the powerful Enterprise TruRisk Platform, Qualys Web Application Scanning drives accurate web application security assessments for improved application security and resiliency, and it achieves this with all of the advantages, power and scalability of cloud computing. Qualys Web Application Scanning identifies web application vulnerabilities in the OWASP Top 10, such as SQL injection, cross-site scripting, URL redirection and many other vulnerabilities. And, because of its rich dynamic user interface, users experience an intuitive, easy-to-use automated workflow along with an extremely low false-positive assessment rate.

As part of its evaluation, VGZ conducted a number of test scans against several web applications. “We were delighted by the results. Qualys Web Application Scanning automates everything, has very few false positives, and finds real vulnerabilities. It has saved us a lot of time and effort,” says Visser.

One example of how Qualys Web Application Scanning saved the VGZ security team a significant amount of time came when VGZ needed to assess the security of about 70 affiliated web sites. According to Visser, Qualys Web Application Scanning was able to identify numerous high-severity vulnerabilities within 10 of those sites. “Those vulnerabilities included multiple cross-side scripting and SQL injection flaws that the site owners were not aware of,” he explains.

Vulnerability Management Endpoint to Web

Today, VGZ uses Qualys Web Application Scanning and Qualys Vulnerability manager to scan its entire web infrastructure, which includes about 25 web servers that host multiple sites. “What we like about Qualys Web Application Scanning is that when we perform a scan, remedies are provided immediately within the results. This saves us a lot of time that we might have used to research all of the specific fixes ourselves,” he says.

Nothing about this success with Qualys Web Application Scanning came as a surprise to VGZ. The company has been relying upon Qualys Vulnerability Management to help secure its internal network and applications for more than nine years. Qualys Vulnerability Management, a central part of the Enterprise TruRisk Platform, automates the life cycle of network auditing and vulnerability management across the enterprise network, including discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking. Driven by the most comprehensive vulnerability KnowledgeBase in the industry, Qualys protects systems against the latest security threats without substantial cost, resource and deployment burdens. “We immediately saw the difference between Qualys and the competition,” says Visser. “Qualys really stood out when it came to ease-of-use, accuracy and flexibility."

By continuously and proactively monitoring network access points, Qualys VM helps the VGZ security team to dramatically reduce the time it takes to research, scan and fix network exposures, and eliminates network vulnerabilities before they can be exploited by attackers.

Using Qualys Web Application Security and Vulnerability Management, VGZ now proactively protects its network and infrastructure through the full vulnerability management lifecycle – for both its traditional networked devices as well as its web applications. “Qualys makes it possible for us to scan whenever we need to, whatever we need to,” says Visser.

Currently, Qualys Web Application Scanning and Vulnerability Management are at the center of VGZ’s vulnerability management program, not only for the company’s scheduled monthly security assessments but also for any out-of-cycle scans that become necessary whenever new and highly-critical vulnerabilities arise.

All of this means VGZ now can maintain security and regulatory compliance better. “The Qualys assessments are extremely effective. If the Qualys verification report is clean, we know that we’re patched and ready for our audit,” Visser says.