We performed a comparison between Qualys Web Application Scanning and Sonatype Lifecycle based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Its most valuable features are patch management, vulnerability management, and PCI compliance."
"The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera."
"The product prevents possible vulnerabilities in our network."
"The vulnerability management feature is a strong one. And also the patch management feature."
"It is a very stable solution."
"Qualys WAS' most valuable features are the navigation flow of the UI and the option for a different layer of security (identification and operation through email and mobile)."
"The simplicity of exporting reports and the simplicity and clarity of the reports included with the product are good."
"It is a good product for website penetration testing to detect vulnerabilities."
"Vulnerability detection accuracy is good."
"The IQ server and repo are the most valuable."
"The grandfathering mode allows us to add legacy applications which we know we're not going to change or refactor for some time. New developments can be scanned separately and we can obviously resolve those vulnerabilities where there are new applications developed. The grandfathering is a good way to separate what can be factored now, versus long-term technical debt."
"It was very easy to integrate into our build pipeline, with Jenkins and Nexus Repository as the central product."
"The value I get from IQ Server is that I get information on real business risks. Is something compliant, are we using the proper license?"
"The key feature for Nexus Lifecycle is the proprietary data they have on vulnerabilities. The way that they combine all the different sources and also their own research into one concise article that clearly explains what the problem is. Most of the time, and even if you do notice that you have a problem, the public information available is pretty weak. So, if we want to assess if a problem applies to our product, it's really hard. We need to invest a lot of time digging into the problem. This work is basically done by Sonatype for us. The data that it delivers helps us with fixing or understanding the issue a lot quicker than without it."
"Lifecycle lets developers see any vulnerabilities or AGPL license issues associated with code in the early stages of development. The nice thing is that it's built into the ID so that they can see all versions of a specific code."
"Among its valuable features, it's easy to handle and easy configure, it's user-friendly, and it's easy to map and integrate."
"In certain cases, this product does have false positives, which the company should work on."
"They should try to include business logic vulnerabilities in the scanner testing."
"There should be better visibility into the application."
"The product should allow users to upload their payloads."
"The UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs."
"We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error."
"There could be better management and faster scanning."
"There's a distinction between internal and external scanning processes that could be streamlined. Currently, for internal scanning, specific configurations and scanner appliances need to be deployed within the network, which differs from the simpler setup for external scans. This dual process complicates the setup for comprehensive scanning coverage."
"Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize."
"Sonatype Nexus Lifecycle can improve the functionality. Some functionalities are missing from the UI that could be accessed using the API but they are not available. For example, seeing more than the 100 first reports or, seeing your comments when you process a waiver for a vulnerability or a violation."
"The reporting could be better."
"The generation of false positives should be reduced."
"The GUI is simple, so it's easy to use. It started as great to use, but for larger scale companies, it also comes with some limitations. This is why we tried to move to more of an API approach. So, the GUI could use some improvements potentially."
"It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier."
"They're working on the high-quality data with Conan. For Conan applications, when it was first deployed to Nexus IQ, it would scan one file type for dependencies. We don't use that method in Conan, we use another file type, which is an acceptable method in Conan, and they didn't have support for that other file type. I think they didn't even know about it because they aren't super familiar with Conan yet. I informed them that there's this other file type that they could scan for dependencies, and that's what they added functionality for."
"It could be because I need to learn more about Sonatype Nexus Lifecycle, but as a leader, if I want to analyze the vulnerability situation and how it is and the forecast, I'd like to look at the reports and understand what the results mean. It's been challenging for me to understand the reports and dashboards on Sonatype Nexus Lifecycle, so I'll need to take a course or watch some YouTube tutorials about the product. If Sonatype Nexus Lifecycle has documentation that could help me properly analyze the vulnerability situation and what the graphs mean, then that would be helpful. I need help understanding what each graph is showing, and it seems my company is the worst, based on the chart. Still, I need clarification, so if there were some documentation, a more extensive knowledge base, or a question mark icon you could hover over that would explain what each data on the graph means, that would make Sonatype Nexus Lifecycle better."
More Qualys Web Application Scanning Pricing and Cost Advice →
Qualys Web Application Scanning is ranked 19th in Application Security Tools with 31 reviews while Sonatype Lifecycle is ranked 5th in Application Security Tools with 43 reviews. Qualys Web Application Scanning is rated 7.8, while Sonatype Lifecycle is rated 8.4. The top reviewer of Qualys Web Application Scanning writes "A stable solution that can be used for infrastructure vulnerability scanning and web application scanning". On the other hand, the top reviewer of Sonatype Lifecycle writes "Seamless to integrate and identify vulnerabilities and frees up staff time". Qualys Web Application Scanning is most compared with OWASP Zap, Veracode, SonarQube, PortSwigger Burp Suite Professional and Fortify WebInspect, whereas Sonatype Lifecycle is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, GitLab and Sonatype Repository Firewall. See our Qualys Web Application Scanning vs. Sonatype Lifecycle report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.