• United States
Editor in Chief

Using your browser for security

Apr 28, 20032 mins

How’s this for a nightmare scenario: The CEO or CFO gets his hands on a Web-based network vulnerability assessment tool he can use from the browser on his desk to make sure you have everything properly buckled down.

Philippe Courtot, chairman and CEO of Qualys, trots that out as a scare tactic, essentially saying his tool is so easy to use that you better install it to find the weak spots before the top cheese does.

He’s half joking, of course, but with new data security regulations coming online and increased boardroom pressure for security compliance, it’s clear that companies can no longer simply rely on annual security checkups.

Qualys, founded in 1999, is attacking the problem with a service it calls On-Demand Network Security. The basic idea, Courtot says, is to assess network vulnerability without requiring customers to install and learn new tools.

The company has 65 network scanners in the U.S., Europe and Asia that it uses to map customer networks from the outside, looking to see what firewall ports are open, or servers are available, etc. Once complete, the baseline is used to generate reports detailing what has been added or changed.

Then the company scans for weak spots, looking for evidence of 2,500 vulnerabilities the company has profiled in a database. About 20 to 30 new vulnerabilities are added each week, Courtot says.

When problems are identified, the service alerts the customer and outlines the potential exposure. For remediation, Qualys finds or develops fixes, subjects both to an internal QA process and then makes them available for download.

Customers who want to complement the outside scan with an inside view receive a packaged scanner that, once clamped on the network, is authenticated by Qualys and provides a pipeline in. The box is owned and managed by Qualys, but all information gathered by either type of scan is kept encrypted and is visible only to the customer.

One shortcoming of the Qualys approach is that customers can’t scan desktops for banned programs, say FTP. Courtot says he might add that capability by introducing client code.

On-Demand costs roughly $50,000 per year for customers with a Class C IP license, and the company says it has 1,000 subscribers, including the Federal Reserve Bank.

One interesting insight is that Courtot says customers are averaging 22 scans per year. That says something about pent-up fear out there.