We performed a comparison between Qualys Web Application Scanning and SonarQube based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Qualys Web Application Scanning has multiple features like threat protection and container security scanning in one box."
"The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level."
"It is easy to use."
"We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve issues."
"You can integrate your Burp Suite results and create an integrated report. Also, the way it shows the results - threats and exploit details - makes remediation very easy."
"The vulnerability management feature is a strong one. And also the patch management feature."
"It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard. Usually, you have to purchase separate tools."
"It is a cloud-based solution, so it is easy to scale."
"The product itself has a friendly UI."
"The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language."
"I like that it covers most programming languages for source code review."
"I like that it helps us maintain our work quality and code security."
"It has very good scalability and stability."
"Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."
"SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues."
"With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas."
"We procured around 110 licenses for Web Application Scanning, but we have issues running concurrent scans. I don't currently have the option to trigger scans for all 100-plus websites. The default limit is around 10 conference scans. It's not very scalable, to be honest, because of the limitation that they put on concurrent scans."
"In certain cases, this product does have false positives, which the company should work on."
"The solution needs to adjust its pricing. They should make it more affordable."
"The pricing does not seem to be competitive."
"The virus code updates are not frequent enough."
"Qualys Web Application Scanning is very complex to use, and its graphical interface is not very user-friendly."
"They should try to include business logic vulnerabilities in the scanner testing."
"There should be better visibility into the application."
"I have found this solution creates more noise than competitors."
"The product needs to integrate other security tools for security scanning."
"It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts."
"There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
"We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved."
"From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not."
"In terms of analysis and findings, other tools provide more in-depth insights and detailed steps to mitigate or handle issues."
"An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."
More Qualys Web Application Scanning Pricing and Cost Advice →
Qualys Web Application Scanning is ranked 18th in Application Security Tools with 31 reviews while SonarQube is ranked 1st in Application Security Tools with 112 reviews. Qualys Web Application Scanning is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Qualys Web Application Scanning writes "A stable solution that can be used for infrastructure vulnerability scanning and web application scanning". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Qualys Web Application Scanning is most compared with OWASP Zap, Veracode, PortSwigger Burp Suite Professional, Fortify WebInspect and Tenable.io Web Application Scanning, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and GitHub Advanced Security. See our Qualys Web Application Scanning vs. SonarQube report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.