QualysGuard 8.0 New Features

Pronamika Abraham

Last updated on: June 3, 2020

QualysGuard 8.0 adds the following capabilities to the QualysGuard Cloud Platform and its suite of services:

  • Featured Enhancement: Overlapping IP support
  • Vulnerability Management
    • Improvements to the SSL Certificates List
    • Configure Multiple PCI Option Profiles
    • Security Risk Score Summary Added to XML and CSV Reports
  • Policy Compliance
    • Golden Image Policy Organized Into Sections
    • Select Individual IPs for Your Policy Reports
    • Control Checksum Requirement Removed from Policy XML
  • QualysGuard Platform
    • New Look and Feel for QualysGuard Express
    • Improved IP Selection
    • QualysGuard API Enhancements

QualysGuard 8.0 will be released in production in the coming weeks and  includes enhancements to QualysGuard Vulnerability Management (VM) and  Policy Compliance (PC), QualysGuard Cloud Platform and the API.

For release notifications containing details about the release dates  for specific platforms and to subscribe to release notifications by  email, please see the following:

With QualysGuard 8.0 customers can now manage overlapping IP ranges within a single QualysGuard subscription, providing the user with the ability to define discrete private networks to keep overlapping blocks isolated from each other.  This is a common need that appears in many use cases including:

  • M&A events;
  • Air gap networks;
  • Business continuity/disaster recovery
  • Dev/test,
  • IaaS environments;
  • "Cloned" small office networks.

These different network zones can now be easily defined and separated within QualysGuard through the UI and API.

To take advantage of this new capability, the administrator uses the new “Networks” tab under Assets, defines a new network, and assigns a scanner.   Once defined, one can perform asset discovery, launch a vulnerability scan, run reports, and track mitigation on that network as a specific entity.  Assigning scanners to networks resolves the issue of duplicate IP addresses occurring in different networks, but allows the administrator to maintain centralized management across the entire organization.

Create a Network

2.create a new network

Discover Assets on Your New Network

4.new network wizard

Scan Your Network

5.scan launch showing networks

QualysGuard Vulnerability Management (VM)

Improvements to the SSL Certificates List

We’ve made several improvements to the SSL Certificates list to make managing your certificates even easier.  Relationships are now maintained between a given certificate and the ports, services, or even different hosts on which it is found, which helps prevent duplicate entries and simplifies reporting and remediation efforts.  The reason for an invalid status now appears in a preview pane.

certificates_list

Configure Multiple PCI Option Profiles

With the QualysGuard 8.0 release you can configure multiple PCI option profiles with different performance settings.  For example, you can create one profile set to High performance, another set to Normal performance, and a third set to Low performance. Then apply the appropriate profile to each scan based upon your network requirements.

pci_profile_new_menu_cropped

Security Risk Score Summary Added to XML and CSV Reports

With this release vulnerability scan reports now include a security risk score summary for the report as a whole and per host, in all available report formats.  Previously security risk metrics were not included in XML or CSV output types.  As before, the risk score summary appears when your report template is configured for host based findings (automatic data) and the Text Summary option is selected. The corresponding asset_data_report.dtd was updated.

scan_report_csv

QualysGuard Policy Compliance (PC)

Golden Image Policy Organized Into Sections

When you create a golden image policy, we automatically add controls to the policy for you. In the QualysGuard 8.0 release we now go one step further and organize those controls into sections based on the control category, giving your policy structure within the Policy Editor.

policy_sections

Select IPs for Your Policy Reports

You can now select individual IP addresses or ranges to include in your policy compliance report.  Simply select the policy you want to report on and click the “Select IPs in policy” option. Then tell us which IPs/ranges from the policy you want to include in the report.

policy_report_select_ips

Control Checksum Requirement Removed from Policy XML

Now it’s possible to manually import policies without the requirement to have a checksum for control configurations. We’ve updated the XML output of the EVALUATE element. We’ll use the new XML output without the checksum when you export policies. No changes were made to the policy export output DTD (https://<base_URL>/api/2.0/fo/compliance/policy/policy_export_output.dtd).

QualysGuard Cloud Platform

New Look and Feel for QualysGuard Express

The QualysGuard Express UI has a new look and feel – you’ll notice more tips and details throughout the UI to help you with your configurations and tasks.

express_quick_start_tips

Here’s a look at the Scans section. Helpful details and links are shown on the screen to help you understand the different scan configuration options available to you in the Scans section. Similar details appear in the Reports and Remediation sections.

express_scans

Improved IP Selection

You’ll now see a simple text field where you can directly enter IPs/ranges or paste them in. This new method for IP selection is used throughout the UI. You’ll see it when setting up your asset groups, configuring approved hosts lists for your domains, removing IPs from your subscription, and so on. If it seems familiar that’s because we introduced this change in authentication records in the last release.

ip_selection_callouts

QualysGuard API Enhancements

The QualysGuard API delivers these new capabilities and enhancements with this release.  More information is available at QualysGuard® API Release Version 8.0 – 15 day notification.

  • VM – “Security Risk Score” summary added to XML and CSV reports
  • VM – Manage the EC2 Scan Workflow using the API
  • VM and PC – Select Multiple Scanner Appliances for Scans
  • VM and PC – Launch Reports using Asset Tags
  • PC – Limit Policy Reports to Selected IPs
  • PC – Compliance Scorecard Report XML – added NetBIOS name and DNS name
  • PC – Policy XML updated to remove control checksum requirement
  • PC – Posture Info API improvements
  • Cloud Security Platform – Manage your Virtual Scanners using the API
  • Cloud Security Platform – Network Support API
VM – “Security Risk Score” summary added to XML and CSV reports
VM – Manage the EC2 Scan Workflow using the API
VM and PC – Select Multiple Scanner Appliances for Scans
VM and PC – Launch Reports using Asset Tags
PC – Limit Policy Reports to Selected IPs
PC – Compliance Scorecard Report XML – added NetBIOS name and DNS name
PC – Policy XML updated to remove control checksum requirement
PC – Posture Info API improvements
Cloud Security Platform – Manage your Virtual Scanners using the API
Cloud Security Platform – Network Support API

aly

Show Comments (7)

Comments

Your email address will not be published. Required fields are marked *

  1. Hi, good to see adding overlapping IP support. However, my client needs this for their multiple Amazon AWS Accounts. Will this feature be added to the EC2 Connector as well? I envisage that all assets imported with an EC2 connector would be automatically assigned to a network-id.

    Secondly, an appliance that is in AWS VPC also needs to be assigned network-id.

    Any comments?

    Best regards

    Vladimir

    1. Vladimir:

      Great use cases and definitely things that are on "the list" to add as automatic/integrated options for the EC2 Connector and overall EC2 solution workflow.

      It will be fairly simple to automatically create one-to-one associations between an EC2-Classic region and a Network in Qualys.

      Because of the availability of VPC Peering and other methods of connecting VPC private networks to each other (and to "home" networks via VPN and DirectConnect), one-to-many relationships can exist between Qualys "Networks" and VPCs.  So our solution will need to provide the user with a self-configurable capability to create the relationships between VPCs and QualysGuard Networks that makes sense in their environment.

      I have no estimate yet of when these features will arrive, but they are in the R&D queue.

  2. Great new feature for VM!

    Will this feature also work where we scan our External IP’s using the 'External' Appliances, and then also scan some of the same IP’s using our DMZ appliances?

    Thus, could we assign the duplicate IP’s for the DMZ to a "New Network Zone" and scan them without over-writing the scan results from the External IP scan?

    Regards

    Steve

    1. Yes, that DMZ use case would definitely be supported from a technical perspective.

      In essence, the creation of a Network within QualysGuard will abstract an entire potential IPv4 network space (0.0.0.0 – 255.255.255.255).