Integrating your ISMS with Nessus & Qualys
As many as 84% of software professionals believe that threats to the software supply chain will be the biggest concern in the next three years. With the increasing threat of cyber-attacks, securing the Software Development Lifecycle (SDLC) has become an integral part of information security. With most companies adopting DevOps for SDLC, it makes sense to consider DevOps while making any attempt to secure SDLC.
What are CI and CD?
CI and CD stand for continuous integration and continuous development respectively and are important methodologies in DevOps.
In CI, the code changes and integrations are automatically tested. Also, the code being developed is frequently integrated with other systems making it possible to push put code changes faster.
In CD, the release of the code is automated so that changed code can quickly be deployed to the test environment for further testing apart from those in CI. This helps the code promotion to production to be quicker. Sometimes, when the code promotion to production is also an automated step, it is known as Continuous Deployment.
CI and CD are often used together to make software delivery faster, more efficient, and secure. With increased digital transformation and SaaS application usage, the only way to keep up with the demand for technological innovation is to build a system that is sustainable, fast, and secure.
From DevOps to DevSecOps
If DevOps (Development & Operations) helped revolutionise the way we develop software, DevSecOps (Development, Security, and Operations) goes one step further and makes sure it is done in a more secure way by introducing security practices early on in the SDLC.
It is not just a set of practices but a shift in the culture and a fundamental change in the processes which make security a shared responsibility. Everyone involved in the SDLC has a role to play in making security a central aspect of the CI/CD workflow.
DevSecOps introduces vulnerability scanning earlier in the SDLC thereby making it easier and more cost-effective to detect and fix vulnerabilities. Since CI/CD pipelines are early in the software development process, they are a good starting point for DevSecOps to introduce automated vulnerability scanning.
What are DAST and SAST?
Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) are two approaches to testing the security of an application.
DAST is performed on a fully functional application by simulating an attack to identify the vulnerabilities. A good DAST scanner will not only show you the vulnerabilities, but it will also show these vulnerabilities can be fixed.
A SAST tool checks the software from the inside by looking at the flow of the data and checking for any weaknesses that can be exploited. Due to this approach, SAST can be performed before the application is functional.
So, is DAST better or SAST?
SAST is a good method to test early though it is marred with issues such as false positives, scans that run for a long time, and overwhelmingly lengthy reports. DAST needs the application to be developed fully before testing which takes away from the benefits of testing early in the SDLC. However, DAST results can be directly mapped to risk. Also, DAST is as close to real-life attacks as possible.
So, in answering the question about which one of the two approaches is better, the simple answer is that both have their positives and negatives. You need to choose the approach which is best suited to your development environment and business goals.
Automated Vulnerability Scans
Whether you use DAST or SAST for testing applications, vulnerability management is an important part of proactive cybersecurity. Read more about vulnerability management in ISMS in the blog Integrating Vulnerability Management into your ISMS.
Vulnerability scans, which identify the weaknesses in the systems, software, and networks are a mandatory activity. Until recently, these scans were performed by the teams using various vulnerability scanning tools. The reports created from the scans would be too exhaustive and lengthy adding to a lot of overheads in vulnerability management.
The evolving needs in software development and security call for automation of the vulnerability scans so that even when the number of known vulnerabilities is overwhelmingly high, the time taken to scan, identify, and report vulnerabilities is considerably low. Also, since vulnerability management is a continuous process, automation is a sustainable way to facilitate it.
Using automatic vulnerability scanners
Qualys and Nessus are two vulnerability scanners that can be used for automated scanning. We will see how both these scanners work and integrate with your ISMS.
Qualys
Qualys boasts of a vulnerability scanning platform that is accurate and scalable. It aids the CI/CD approach by continuously identifying and fixing vulnerabilities across all the assets in the organisation.
Advantages of the Qualys Vulnerability platform are:
- Qualys has a large database of known vulnerabilities, perhaps the largest in the industry, providing broad coverage of all possible vulnerabilities.
- It provides vulnerability scanning with six sigma accuracy (99.9996%).
- Qualys detects vulnerabilities and also reports their severity and criticality, thus prioritising vulnerability fixes.
- It also can forecast threats and security incidents.
- It automates the vulnerability treatment process which integrates with the existing IT ticketing system, thus streamlining the entire process.
- It is compliant with standards for information security.
Nessus
Nessus is a vulnerability scanner developed by tenable.io, a subscription-based service. Nessus scans each port of a computer and identifies the services that are running. All the identified services are tested to identify vulnerabilities that can be exploited by a hacker.
Advantages of Nessus are:
- Nessus can scan vulnerabilities due to unauthorised access and poor passwords.
- It can also detect DoS (Denial of Service) vulnerabilities which are on the rise.
- Nessus can also detect missing patches, misconfigurations, and software errors across operating systems, applications, and devices.
- Nessus can carry out mock attacks on the applications to detect real-world vulnerabilities.
- It can help schedule security audits.
Qualys vs Nessus
Both Qualys and Nessus have their advantages and disadvantages. But, if you have to choose between the two, here are some considerations.
- Cost and scale
Nessus is cheaper than Qualys. But that’s because it is not an enterprise solution. It is more suited for smaller teams. Even though the performance of vulnerability scans through Nessus is good, it is intended for small-scale scans. Qualys, on the other hand, is built for scalability and is a good enterprise solution.
- Accuracy
Both Qualys and Nexus dig deep into the filesystem to give highly accurate results. Their rate of false positives and false negatives is very low making both the platforms at par with each other in terms of accuracy.
- On-prem and cloud
Qualys is a cloud-based service; Nessus is not. Nessus is present on your network whereas, in Qualys, only the scanners are on the network, while the actual platform is on the cloud.
Final thoughts
Vulnerability management programs need to integrate automated solutions to remain one step ahead of the evolving threats. Automated solutions also help to implement information security without compromising on speed and agility in software development and deployment.
Know more about the 6clicks platform and how it automates vulnerability management and supports integration with other solutions. Get in touch with our team to take a free tour of the platform.
Related useful resources
-
Understanding vulnerability management
-
What is the common vulnerability scoring system and how does it work?
-
Business Origami: The importance of folding ISMS into your GRC
-
The Biggest Threat to Future Growth
Written by Heather Buker
Heather has been a technical SME in the cybersecurity field her entire career from developing cybersecurity software to consulting, service delivery, architecting, and product management across most industry verticals. An engineer by trade, Heather specializes in translating business needs and facilitating solutions to complex cyber and GRC use cases with technology. Heather has a Bachelors in Computer Engineering, Masters in Engineering Management, and a Doctorate in Information Technology with a specialization in information assurance and cybersecurity.