Qualys CloudView adds security for infrastructure as code for DevSecOps

Sumedh Thakar, the President and Chief Executive Officer of Qualys

Qualys Inc, a pioneer and provider of disruptive cloud-based IT, security and compliance solutions is adding Infrastructure as Code (IaC) scanning to its CloudView app.

This enables detection and remediation of misconfigurations early in the development cycle, removing risk in the production environment. The (ISC)22021 Cloud Security Report found security teams’ biggest threat with public clouds is the misconfiguration of resources.

Misconfigurations are often detected post-deployment, leaving companies with a much larger attack surface and more vulnerable to exploits. Increasingly, organizations are using IaC to deploy cloud-native applications and provision their cloud infrastructure.

Shift security left to identify and remediate misconfigurations at the IaC template stage.

Detecting security issues earlier in the development cycle accelerates secure application delivery and fosters greater collaboration between DevOps and security teams.

More importantly, it enforces better security policies in the production environment.

Security and risk management leaders managing cloud infrastructure security should create safe-to-fail environments in order to facilitate developer innovation.

Integrate intelligent security tooling with delivery pipelines like infrastructure-as-code [IaC] scanning to identify risks early and alert on unsafe workloads before they are deployed.

Qualys CloudView allows complete visibility and security control of public cloud workloads and now assesses IaC templates for misconfigurations.

IaC assessments are integrated into the software development cycle to ensure that only code conforming to the organisation’s security standards is deployed.

Qualys’ Cloud Platform approach delivers complete visibility, bringing together runtime and build-time posture and the drift between the two into a single view.

Benefits of the new Qualys CloudView capabilities  

Assess security posture throughout CI/CD pipeline

Organisations can now assess the security posture earlier in the development cycle, dramatically reducing security risk post-deployment. CloudView IaC Security provides a command line interface to perform a security assessment locally.

To gate deployment if misconfigurations are detected, plug-ins for source code repositories at check-in and CI/CD platforms are also available.

Adhere to security best practices

CloudView IaC Security makes it easy for organisations to adopt security best practices promoted by cloud platform providers. CloudView IaC Security supports popular IaC languages like – Terraform, CloudFormation (CF), and Azure Resource Manager (ARM).

It checks settingss against security best practices as prescribed by Amazon Web Services, Azure, Google Cloud Platform, and standard bodies including the Center for Internet Security.

CloudView provides remediation hints when a non-compliant configuration is detected.

Ensure compliance with industry mandates

Using CloudView IaC Security, organisations can assure compliance with more than 20 industry mandates such as PCI, HIPAA, and NIST 800-53. This reduces the burden on the DevOps security teams and ensures a streamlined process during mandatory compliance audits.

Sumedh Thakar, the President and Chief Executive Officer of Qualys offered insights.

“With the addition of IaC assessment to CloudView, Qualys is extending its cloud security posture management (CSPM) solution in order to handle shift-left use cases.”

“Leveraging the Qualys Cloud Platform and its integrated apps, customers can now insert security automation into all stages of their application lifecycle ensuring complete visibility into both runtime and build-time posture via a unified dashboard.”


Qualys CloudView with IaC Security is currently in beta and will be available later this year. If you would like to participate in the beta program, please sign up.