Qualys announced CertView, a new app framework in the Qualys Cloud Platform that enables customers to discover, assess and manage SSL/TLS certificates on a global scale, helping them prevent downtime and outages, audit and compliance failures, and mitigate risks associated with any expired and/or vulnerable SSL/TLS certificates on their business-critical systems.
The first two apps in CertView include Certificate Inventory (CRI) and Certificate Assessment (CRA).
Machines rely on X.509 certificates to communicate securely with each other both internally and externally, and this communication creates new attack surfaces — particularly amidst the rise of DevOps and public clouds. In order to stay ahead of this risk, organizations must automate visibility and tracking of their certificate deployments for DevSecOps.
Qualys CertView allows them to do so by centralizing visibility of certificate vulnerabilities into their overall continuous view of security and compliance state, and by enabling customers to rapidly see and remediate expired or vulnerable certificates.
“While several offerings exist to discover X.509 certificates, most organizations rely on spreadsheet-based tracking methods and manual processes to keep track of certificates, resulting in many undocumented installations and increased exposure to risks,” said David Anthony Mahdi, Research Director, Gartner. “When using discovery tools, security leaders are often surprised by the amount of unknown certificates, from multiple certificate authorities (CAs) that exist in their environment.”
Digital Certificate Inventory (DCI) app features
Discovery: Enabling infosec and other teams to continuously scan global IT assets from the same console to discover every certificate issued from any CA.
Inventory: Enabling reduced administrative costs by bringing the entire certificate estate under central control with comprehensive visibility of all certificates in use across DevSecOps, InfoSec and IT teams.
Digital Certificate Assessment (DCA) app features
Continuous Monitoring: Automation built into the Qualys Cloud Platform identifies critical issues, weaknesses and vulnerabilities and sends targeted alerts to DeveSecOps, InfoSec IT and IT teams.
Reports and Dashboards: Dynamic dashboards provide teams with a holistic and contextual view of their certificate estate, and power automatically created downloadable reports of certificate-related vulnerabilities, certificate expirations and non-compliant certificates across global IT assets.
“Thriving in today’s business environment requires constant and secure global communication and collaboration between machines-to-machines and people,” said Philippe Courtot, chairman and CEO, Qualys, Inc. “Qualys CertView delivers customers added visibility of this critical infrastructure layer as it grows, and allows them to more confidently achieve digital transformation securely – all from a ‘single pane of glass’ view, further consolidating their security and compliance stack in one unified platform and reducing costs.”
Qualys CertView will be available in beta starting September 2017, with general availability in Q4. The initial release will include these two apps: CRI and CRA. Qualys is working to add full certificate lifecycle management into the single-pane view of the Qualys Cloud Platform.
Future versions of CertView will add new apps to include back-end integration with major CAs and application servers, as well as workflows for policy enforcement.