We use the solution for scanning and vulnerability management.
IT Security Analyst at Banco de Fomento Angola
A stable and easy-to-deploy solution that helps organizations to manage the vulnerabilities in their network
Pros and Cons
- "The product prevents possible vulnerabilities in our network."
- "The support could be faster."
What is our primary use case?
What is most valuable?
The product prevents possible vulnerabilities in our network.
What needs improvement?
It will be good if Qualys is integrated with QRadar.
For how long have I used the solution?
I have been using the solution for three years.
Buyer's Guide
Qualys Web Application Scanning
December 2024
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
What do I think about the stability of the solution?
The tool is stable.
What do I think about the scalability of the solution?
The tool is scalable since it is on the cloud. We have 60 users.
How are customer service and support?
The support is moderately good. Sometimes, the team responds on time. Sometimes, it takes time. The support could be faster.
Which solution did I use previously and why did I switch?
I have used many other tools. In some cases, I prefer other tools because they give better visibility into the vulnerabilities. In general, Qualys is good.
How was the initial setup?
The initial setup was super easy because it is cloud-based. We use it internally. The installation took two days. We had to improve the tools and create the tags and assets. Two or three engineers can deploy the product. The product is easy to maintain.
What other advice do I have?
I integrate Qualys and QRadar. QRadar is for SCM. It helps centralize the management of the network. It provides good visibility of Qualys. Qualys is a good product. There are better tools in the market. However, I recommend Qualys to others. Overall, I rate the product an eight out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Cyber Security Sales Specialist at a tech services company with 1,001-5,000 employees
Stable and reliable solution with good performance
Pros and Cons
- "It is a cloud-based solution, so it is easy to scale."
- "There should be better visibility into the application."
What is our primary use case?
The primary use case includes scanning the web applications that are public facing.
What is most valuable?
The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera.
What needs improvement?
There should be better visibility into the application.
For how long have I used the solution?
Our customers have been using this solution for more than three years now.
What do I think about the stability of the solution?
It is a stable solution.
What do I think about the scalability of the solution?
It is a cloud-based solution, so it is easy to scale.
We work with enterprise-level clients with over 2500 endpoints.
How are customer service and support?
The customer service and support are good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I would say Qualys is on the better side. It's more about the performance and the quality of the product because it's been around for a long time.
How was the initial setup?
The initial setup is relatively easy. The installation process is quite straightforward, making it user-friendly.
What about the implementation team?
The duration of deployment varies depending on the complexity of the customer's environment and their implementation status. We ensure to accommodate the customer's preferred implementation pace.
What's my experience with pricing, setup cost, and licensing?
We normally purchase an annual license. There are additional costs. From Qualys, it's for the license and maintenance, which includes patches and stuff like that. Additionally, we have our own service delivery costs.
What other advice do I have?
Qualys is a stable and reliable solution. It has been around for a long time.
Overall, I would rate the solution an eight out of ten. There is scope for improvement. It is still an early technology.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Buyer's Guide
Qualys Web Application Scanning
December 2024
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Security Consultant at Cognizant
User-friendly, good scanning analysis and reporting, and offers real-time vulnerability monitoring
Pros and Cons
- "The interface is user-friendly and easy to understand."
- "The scanner reports a lot of false positives, which is something that needs to be improved."
What is our primary use case?
We primarily use this solution for VM scanning. We scan more than a thousand applications.
What is most valuable?
The most valuable features are scanning analysis and reporting.
This solution also provides real-time monitoring.
The interface is user-friendly and easy to understand.
What needs improvement?
The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities.
The scanner reports a lot of false positives, which is something that needs to be improved.
For how long have I used the solution?
We have been using Qualys for almost a year.
What do I think about the stability of the solution?
The stability is good.
What do I think about the scalability of the solution?
In terms of scalability, Qualys is good.
How are customer service and technical support?
I have not dealt with technical support yet because there are other people dealing with issues that arise. My understanding is that technical support is good.
Which solution did I use previously and why did I switch?
I have also used the Nexus Vulnerability Scanner and it reports fewer false positives.
How was the initial setup?
This solution was implemented before I joined the department.
What's my experience with pricing, setup cost, and licensing?
There are different options available with respect to licensing.
What other advice do I have?
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
Technical Lead at a computer software company with 501-1,000 employees
Easy-to-deploy product with good stability
Pros and Cons
- "It is a good product for website penetration testing to detect vulnerabilities."
- "The product's pricing could be better."
What is our primary use case?
We primarily use Qualys Web Application Scanning for website penetration testing.
What is most valuable?
It is a good product for website penetration testing to detect vulnerabilities.
What needs improvement?
The product's pricing could be better.
For how long have I used the solution?
We have been using Qualys Web Application Scanning for less than a year.
What do I think about the stability of the solution?
The platform has good stability.
What do I think about the scalability of the solution?
It is a scalable product.
How are customer service and support?
The technical support services are good.
How was the initial setup?
Qualys Web Application Scanning is easy to deploy.
What's my experience with pricing, setup cost, and licensing?
It is an expensive platform.
What other advice do I have?
Qualys Web Application Scanning is easy to use and deploy. I rate it a nine out of ten. However, it could be less expensive compared to other open-source tools.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Security Systems Engineer at a computer software company with 501-1,000 employees
It showed us vulnerabilities that we were not aware of and did not know how to test for. The organization of the assets was a little confusing and overwhelming.
What is most valuable?
- Ease of use and setup
- Visibility into our environment
How has it helped my organization?
WAS gave us visibility into our externally exposed web applications and showed us vulnerabilities that we were not aware of and did not know how to test for. We didn't need any knowledge of these vulnerabilities or how they worked to scan for them and to gain the visibility.
What needs improvement?
The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.
For how long have I used the solution?
I have been using it for 18 months.
What was my experience with deployment of the solution?
Scalability would be tough because of how the endpoints are organized. We did not have any issues with deployment or stability.
How are customer service and technical support?
We had a dedicated Technical Account Manager and the support was great.
Which solution did I use previously and why did I switch?
We did not previously use a different solution.
How was the initial setup?
Setup of WAS is pretty straightforward and only the organization of endpoints is a bit complex.
What about the implementation team?
Implementation was very simple because we were only using the cloud product and did not have any on-prem scanners.
What was our ROI?
Being able to gain visibility into our environment created a great ROI and licensing for us was competitive, but would have made it tough to scale to our whole internal environment.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Director at Benelec
Effective scanning, scalable, but scanning may result in false positives
Pros and Cons
- "The most valuable feature of Qualys Web Application Scanning is the effective scanning that can be done."
- "We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error."
What is our primary use case?
We are using Qualys Web Application Scanning for our customers. We have the expertise in the solution to provide our customers with the results.
We use the tool for scanning web applications for our clients.
What is most valuable?
The most valuable feature of Qualys Web Application Scanning is the effective scanning that can be done.
What needs improvement?
We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error.
For how long have I used the solution?
I have been using Qualys Web Application Scanning for approximately five years.
What do I think about the stability of the solution?
The stability of Qualys Web Application Scanning could be better.
I rate the stability of Qualys Web Application Scanning an eight out of ten.
What do I think about the scalability of the solution?
Qualys Web Application Scanning has been scalable we have not had any problems in our operations.
How was the initial setup?
The initial setup of Qualys Web Application Scanning is simple for us. However, we have trained engineers that are registered. The deployment did not take very long.
What about the implementation team?
We do the migration for our customers and provide them with testing results. One person can do the implementation of the solution.
What other advice do I have?
I would recommend this solution to others.
I rate Qualys Web Application Scanning a seven out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Security Expert at a financial services firm with 1,001-5,000 employees
Premature product - not a proper product to be used for PCI approved Web Scanning
v2 Review: Premature product - not a proper product to be used for PCI approved web scanning
Having done numerous penetration tests using various manual and automated tools, today we are focusing on a new tool called QualysGuard Web Application Scanning v2.4.1. In the process of doing a pentest, we often use a quality automated tool to check for standard issues while we focus on the much more difficult issues of the testing. As this reduces the time it takes to do a full test, allows us to work more efficiently, and besides who wants to waste time doing monotonous simplistic checking. In this regard, I have used AppScan quite extensively, and HP WebInspect as well, and both are very good tools for the most part. They help out on the basic checks quite a bit.
Quite recently, I was introduced to QualysGuard Web Application Scanner (WAS) v2.4.1. This tool was very simple to use which is true to Qualys name. Point and click and you are done. Unfortunately, I found out that it didn't help with the standard checks either.
Problem #1
1. It couldn't even authenticate to basic web forms. I've used AppScan on hundreds of sites, and not once was there a problem in not being able to authenticate. A web security tools isn't very useful if it can't get passed the logon screen because that's where most of the application resides. How is it supposed to check anything if it doesn't get passed the logon screen' The Qualys product support/product manager's response to this is to use Selenium Scripting. Unfortunately, the current applications that are being tested only run on Internet Explorer (IE) and Selenium scripting automatic record and playback only works on FireFox. So one must learn a new scripting language in order to make it work with IE. This is hardly an easy point and click solution. Learning a new scripting language is time consuming and error prone. Other professional web scanners have this feature built in.
Problem #2
2. It cannot do a manual explore like other professional tools. For instance, manual explore is needed to fill in certain forms properly in order to get to the critical screens for testing. For example, you must fill in a proper social security number to look up the customer and get to the rest of the application. Qualys WAS does not support this feature. This web scanner doesn't allow the user to fill in the initial forms with proper data thereby never testing the whole application, which is critical. The Qualys product support/product manager's response was this is a simple point and click tool, "we don't support nor do we plan to support complex features such as manual explore."
Problem #3
3. Web service scanner has limited functionality in comparison to other professional tools. In this day and age, many web applications use web services. To not support this feature properly is ridiculous. The Qualys product support/product manager's response, "we only support web service fuzzing at this point." What about testing authenticated web service calls' It also doesn't support pre-populated data on web pages not web services other than the logon screen. This pretty much reduces their web service testing to a dummy tool. To make this work, you have to use tools like SOAPUI or Burp Suite Pro with scripting/plugins to pre-populate data, manual explore, and sequence test steps.
Problem #4
4. Lack of details provided by Qualys.
a. Most professional tools have an audit log that shows exactly what tests were performed and how they were performed. Qualys does not provide an audit log of what tests they did. We are supposed to guess instead as to what might have actually transpired. Real reason behind not providing an audit log is more likely along the lines of they don't all the check they are supposed to and even if they did, it probably wasn't exhaustive testing of say XSS. Either way, we have no idea whether they did the work they claimed to have or not. A Big Mystery Here!
b. No details provided on the actual request/response when a vulnerability is found. True to Qualys name of simplicity. The vulnerability finding is so simplistic and lacking any details as to how it was tested, one wonders how to test whether this finding is a false positive or not. Well, I guess one is supposed to take Qualys word for it. :)
Problem #5
5. Missed critical session management vulnerabilities. Qualys missed a critical session management vulnerability that I had to find manually that AppScan would have found. The Qualys product support/product manager's response, "we are putting in a fix for this soon."
All in all, QualyGuard Web Application Scanner (WAS) v2 is lacking quite a bit in terms of quality and details. Do you want to risk the security of your enterprise by relying on a product like this' Currently, the product is premature and should not considered to be a proper product to used for PCI approved Web Scanning. In fact, it should not even be PCI approved until it matures quite a bit. Qualys needs to understand how a true web application scanner works before releasing a premature product to cash in on a exploding market.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sr. Director, Cloud Platform Engineering at a tech vendor with 5,001-10,000 employees
We’re a Linux shop and Qualys gave us good Linux vulnerability scanning; no experience with it on MSFT products.
What is most valuable?
We’re a Linux shop and Qualys gave us good Linux vulnerability scanning; no experience with it on MSFT products. It reports only a few glaring false-positive errors (directory ownership was a common one), and our post-processing dealt with the known exceptions we’d agreed on. The long baseline of iterative results was valuable to track changes and our rate of improvement. Access to the API let us automate its use in our CI/CD pipeline for machine images.
How has it helped my organization?
The biggest benefit was integrating Qualys scanning into our CI/CD pipeline to vulnerability-scan new custom machine images (for OpenStack or AWS) before deployment. We’d build the image, instantiate it, run Qualys against it, get the report, post-process it, look for new errors or changes (if any), review just those and either block deployment or update our exceptions list for next time.
What needs improvement?
The licensing and user permissions are a little wonky for a DevOps team to use, probably because it’s traditionally an InfoSec tool.
For how long have I used the solution?
Symantec has run Qualys Enterprise against our private OpenStack cloud for at least three years; we started using the Qualys VA on AWS in 06/17.
What do I think about the stability of the solution?
Only those which Qualys scanning revealed in our OpenStack implementation.
What do I think about the scalability of the solution?
Not really, we spun up multiple Qualys servers to walk through our data center cloud infrastructure on a regular basis.
How are customer service and technical support?
Pretty poor, as usual for almost all software products now. Getting past the Tier 1 and 2 call center people is always a challenge, so throwing the company name around isn’t a bad idea.
Which solution did I use previously and why did I switch?
Don’t know what, if anything, preceded Qualys at Symantec.
How was the initial setup?
It took about a month to get the Qualys scan completely integrated and automated in our CI/CD pipeline, but much of that was due to licensing issues and poor API documentation, not the product installation itself.
What's my experience with pricing, setup cost, and licensing?
The “bring your own licenses” model for the virtual appliance isn’t what you might think, so get a clear explanation up front before assuming you can go use virtual appliances on AWS.
Which other solutions did I evaluate?
Yes, the Symantec Global Security Office (GSO) did this, and I don’t know who else they looked at when the selection was made.
What other advice do I have?
My team was responsible for operating the Symantec development hybrid cloud (about 6K servers in four DCs and multiple AWS regions). We use Qualys Enterprise to scan our private cloud infrastructure and machine images, and the Qualys Virtual Appliance to do custom AMI validation before deployment in AWS. I don’t recall which versions we used but we kept them up to date.
I give them a seven out of 10. The product is pretty good, but not great. It simply isn’t feasible for a tool like this to be accurate (no false negatives, few false positives), so you wind up doing a fair amount of post-processing of scan results. The profile update cycles are not what I’d like to see, so the vendor isn’t reacting to new threats anywhere near fast enough.
Also, look at other vendors, of course. Tenable was getting a lot of good buzz at Symantec last year. Be clear in advance on how much “overhead” you’re willing to pay in order to run “regular” scans on your DC machines and networks. In the cloud space, it’s somewhat better to verify the base image once, and focus on application vulnerabilities, where possible.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Popular Comparisons
SonarQube Server (formerly SonarQube)
Checkmarx One
Fortify on Demand
Sonatype Lifecycle
PortSwigger Burp Suite Professional
Tenable.io Web Application Scanning
Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between OWASP Zap and Qualys?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- Which application security solutions include both vulnerability scans and quality checks?
- We're evaluating Tripwire, what else should we consider?
- Is SonarQube the best tool for static analysis?
- Why Do I Need Application Security Software?
- Which Email Security enterprise solution would you choose: Cisco Secure Email vs Forcepoint Email Security vs Barracuda Email Security Gateway?
This is a review of their Web Application Scanning Product and not Vulnerability Management. Their Vulnerability Management Product is actually pretty good.