Qualys Web Application Scanning Reviews

There are two parts. We use Web Application Scanning licenses to constantly assess our websites. When there are any changes on our websites, Qualys checks to see if there is a vulnerability. We use a SecOps/DevOps methodology, so Qualys is integrated into the development cycle. Qualys runs every time we update the site.

Qualys' process of updating signatures is something we really appreciate, and it's way ahead of its industry peers. 

We have been using Web Application Scanning since 2018. 

Web Application Scanning is a stable solution.

We procured around 110 licenses for Web Application Scanning, but we have issues running concurrent scans. I don't currently have the option to trigger scans for all 100-plus websites. The default limit is around 10 conference scans. It's not very scalable, to be honest, because of the limitation that they put on concurrent scans.

I've had some issues with Qualys support. It's transactional. There is no face to the support model. I don't see anyone from Qualys engaging with us on a quarterly business or annual business review to help us understand if we are fully utilizing Qualys' capabilities. 

This isn't a technical problem. It's more of an issue with customer relations. I think they can improve by touching base with us more often to let us know if our rollout is following industry best practices or not. 

We used Verizon to help us with the rollout, and there were no trouble tickets or any technical issues with the rollout, so I would say the implementation was pretty smooth. The design-build phase took a couple of weeks.

We pay for a yearly license, but we also pay a separate cost for an engineer from Verizon.

When evaluating Qualys, we looked at industry best practices and state of-art-tools. Qualys was the default leader in its segment, so we went ahead with Qualys. I've used other solutions in the past, but Qualys the segment. That's why we went with them.

I rate Qualys Web Application Scanning nine out of 10. I think Web Application Scanning should integrate VMDR, a more enhanced capability that Qualys offers for enterprise vulnerability assessments. However, Qualys is way ahead of the competition on the web application front. 

If you're an industrial company, you should evaluate the OT scanning capability that Qualys is about to launch. It will cover all your enterprise web applications and secure your factories as well. Qualys should be a one-stop shop meeting all your end-to-end vulnerability assessment requirements, so you don't need to buy solutions from different vendors,

The primary use case includes scanning the web applications that are public facing.

The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera.

There should be better visibility into the application.

Our customers have been using this solution for more than three years now.

It is a stable solution.

It is a cloud-based solution, so it is easy to scale.

We work with enterprise-level clients with over 2500 endpoints.

The customer service and support are good.

Positive

I would say Qualys is on the better side. It's more about the performance and the quality of the product because it's been around for a long time.

The initial setup is relatively easy. The installation process is quite straightforward, making it user-friendly.

The duration of deployment varies depending on the complexity of the customer's environment and their implementation status. We ensure to accommodate the customer's preferred implementation pace.

We normally purchase an annual license. There are additional costs. From Qualys, it's for the license and maintenance, which includes patches and stuff like that. Additionally, we have our own service delivery costs.

Qualys is a stable and reliable solution. It has been around for a long time.

Overall, I would rate the solution an eight out of ten. There is scope for improvement. It is still an early technology.

We primarily use this solution for VM scanning. We scan more than a thousand applications.

The most valuable features are scanning analysis and reporting.

This solution also provides real-time monitoring.

The interface is user-friendly and easy to understand.

The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities.

The scanner reports a lot of false positives, which is something that needs to be improved.

We have been using Qualys for almost a year.

The stability is good.

In terms of scalability, Qualys is good.

I have not dealt with technical support yet because there are other people dealing with issues that arise. My understanding is that technical support is good.

I have also used the Nexus Vulnerability Scanner and it reports fewer false positives.

This solution was implemented before I joined the department.

There are different options available with respect to licensing.

I would rate this solution an eight out of ten.

We primarily use Qualys Web Application Scanning for website penetration testing.

It is a good product for website penetration testing to detect vulnerabilities.

The product's pricing could be better.

We have been using Qualys Web Application Scanning for less than a year.

The platform has good stability.

It is a scalable product.

The technical support services are good.

Qualys Web Application Scanning is easy to deploy.

It is an expensive platform.

Qualys Web Application Scanning is easy to use and deploy. I rate it a nine out of ten. However, it could be less expensive compared to other open-source tools.

• Ease of use and setup
• Visibility into our environment

WAS gave us visibility into our externally exposed web applications and showed us vulnerabilities that we were not aware of and did not know how to test for. We didn't need any knowledge of these vulnerabilities or how they worked to scan for them and to gain the visibility.

The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.

I have been using it for 18 months.

Scalability would be tough because of how the endpoints are organized. We did not have any issues with deployment or stability.

We had a dedicated Technical Account Manager and the support was great.

We did not previously use a different solution.

Setup of WAS is pretty straightforward and only the organization of endpoints is a bit complex.

Implementation was very simple because we were only using the cloud product and did not have any on-prem scanners.

Being able to gain visibility into our environment created a great ROI and licensing for us was competitive, but would have made it tough to scale to our whole internal environment.

We are using Qualys Web Application Scanning for our customers. We have the expertise in the solution to provide our customers with the results.

We use the tool for scanning web applications for our clients.

The most valuable feature of Qualys Web Application Scanning is the effective scanning that can be done.

We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error.

I have been using Qualys Web Application Scanning for approximately five years.

The stability of Qualys Web Application Scanning could be better.

I rate the stability of Qualys Web Application Scanning an eight out of ten.

Qualys Web Application Scanning has been scalable we have not had any problems in our operations.

The initial setup of Qualys Web Application Scanning is simple for us. However, we have trained engineers that are registered. The deployment did not take very long.

We do the migration for our customers and provide them with testing results. One person can do the implementation of the solution.

I would recommend this solution to others.

I rate Qualys Web Application Scanning a seven out of ten.

We’re a Linux shop and Qualys gave us good Linux vulnerability scanning; no experience with it on MSFT products. It reports only a few glaring false-positive errors (directory ownership was a common one), and our post-processing dealt with the known exceptions we’d agreed on. The long baseline of iterative results was valuable to track changes and our rate of improvement. Access to the API let us automate its use in our CI/CD pipeline for machine images.

The biggest benefit was integrating Qualys scanning into our CI/CD pipeline to vulnerability-scan new custom machine images (for OpenStack or AWS) before deployment. We’d build the image, instantiate it, run Qualys against it, get the report, post-process it, look for new errors or changes (if any), review just those and either block deployment or update our exceptions list for next time.

The licensing and user permissions are a little wonky for a DevOps team to use, probably because it’s traditionally an InfoSec tool.

Symantec has run Qualys Enterprise against our private OpenStack cloud for at least three years; we started using the Qualys VA on AWS in 06/17.

Only those which Qualys scanning revealed in our OpenStack implementation.

Not really, we spun up multiple Qualys servers to walk through our data center cloud infrastructure on a regular basis.

Pretty poor, as usual for almost all software products now. Getting past the Tier 1 and 2 call center people is always a challenge, so throwing the company name around isn’t a bad idea.

Don’t know what, if anything, preceded Qualys at Symantec.

It took about a month to get the Qualys scan completely integrated and automated in our CI/CD pipeline, but much of that was due to licensing issues and poor API documentation, not the product installation itself.

The “bring your own licenses” model for the virtual appliance isn’t what you might think, so get a clear explanation up front before assuming you can go use virtual appliances on AWS.

Yes, the Symantec Global Security Office (GSO) did this, and I don’t know who else they looked at when the selection was made.

My team was responsible for operating the Symantec development hybrid cloud (about 6K servers in four DCs and multiple AWS regions). We use Qualys Enterprise to scan our private cloud infrastructure and machine images, and the Qualys Virtual Appliance to do custom AMI validation before deployment in AWS. I don’t recall which versions we used but we kept them up to date.

I give them a seven out of 10. The product is pretty good, but not great. It simply isn’t feasible for a tool like this to be accurate (no false negatives, few false positives), so you wind up doing a fair amount of post-processing of scan results. The profile update cycles are not what I’d like to see, so the vendor isn’t reacting to new threats anywhere near fast enough.

Also, look at other vendors, of course. Tenable was getting a lot of good buzz at Symantec last year. Be clear in advance on how much “overhead” you’re willing to pay in order to run “regular” scans on your DC machines and networks. In the cloud space, it’s somewhat better to verify the base image once, and focus on application vulnerabilities, where possible.