Qualys, a provider of disruptive cloud-based IT, security and compliance solutions, has announced it is adding Infrastructure as Code (IaC) scanning to its CloudView app. This will enable detection and
remediation of misconfigurations early in the development cycle, removing risk in the production
As noted in the (ISC)2 2021 Cloud Security Report , security professionals’ biggest threat with public
clouds is the misconfiguration of resources. Misconfigurations are often detected post-deployment,
leaving companies with a much larger attack surface and more vulnerable to exploits. Increasingly,
organisations are using IaC to deploy cloud-native applications and provision their cloud
infrastructure. Thus, it’s important to shift security left to identify and remediate misconfigurations
at the IaC template stage. Detecting security issues earlier in the development cycle accelerates
secure application delivery and fosters greater collaboration between DevOps and security teams.
More importantly, it enforces better security policies in the production environment.
“Security and risk management leaders managing cloud infrastructure security should create safe to-fail environments to facilitate developer innovation by integrating intelligent security tooling with
delivery pipelines (such as infrastructure-as-code [IaC] scanning) to identify risks early and alert on
unsafe workloads before they are deployed.” Gartner, Cool Vendors in Cloud Security Posture
Management, Tom Croll, Neil MacDonald, Mark Wah, Prateek Bhajanka, June 9, 2021.
Qualys CloudView allows complete visibility and security control of public cloud workloads and now
assesses IaC templates for misconfigurations. IaC assessments are integrated into the software
development cycle to ensure that only code conforming to the organisation’s security standards is
deployed. Qualys’ Cloud Platform approach delivers complete visibility, bringing together runtime
and build-time posture and the drift between the two into a single view.
The new capabilities enable organisations to:
Assess security posture throughout CI/CD pipeline
Organisations can now assess the security posture earlier in the development cycle, dramatically
reducing security risk post-deployment. CloudView IaC Security provides a command line interface
to perform a security assessment locally. To gate deployment if misconfigurations are detected,
plug-ins for source code repositories at check-in and CI/CD platforms are also available.
Adhere to security best practices
CloudView IaC Security makes it easy for organisations to adopt security best practices promoted by
cloud platform providers. CloudView IaC Security supports popular IaC languages like – Terraform,
CloudFormation (CF), and Azure Resource Manager (ARM). It also checks configurations against
thousands of security best practices as prescribed by Amazon Web Services, Azure, Google Cloud
Platform, and standard bodies including the Center for Internet Security. Additionally, CloudView
automatically provides remediation suggestions when a non-compliant configuration is detected.
Ensure compliance with industry mandates
Using CloudView IaC Security, organisations can assure compliance with more than 20 industry
mandates such as PCI, HIPAA, and NIST 800-53. This reduces the burden on the DevOps security
teams and ensures a streamlined process during mandatory compliance audits.
“With the addition of IaC assessment to CloudView, Qualys is extending its cloud security posture
management (CSPM) solution to handle shift-left use cases,” said Sumedh Thakar, President and
CEO of Qualys.
“Leveraging the Qualys Cloud Platform and its integrated apps, customers can now
insert security automation into all stages of their application lifecycle ensuring complete visibility
into both runtime and build-time posture via a unified dashboard.”
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 920