Qualys Web Application Scanning Review

It reports fewer false positives than other tools. The tool should have a live HTTP editor and more mature APIs.

Valuable Features

There is nothing out of the box in the Qualys web application scanning module. One good thing is that it reports fewer false positives.

Improvements to My Organization

We use many other products along with Qualys. In a way, Qualys dashboards are good to keep track of vulnerabilities found asset-wise.

Room for Improvement

The tool should have a live HTTP editor and more configuration options for some situations, such as handling applications that have URL rewriting enabled.

The tool should have more mature APIs for integration and automation. They should provide more flexible APIs to download reports.

Use of Solution

I have been using it for almost four years now.

Stability Issues

Qualys is good, stability-wise.

Scalability Issues

Qualys is perfect, scalability-wise.

Customer Service and Technical Support

On a scale of 1-5 with 5 being the highest, I would rate technical support at 3.

Previous Solutions

I have used Nessus, Burp Suite, and IBM AppScan. Cost- and functionality-wise, I find Burp Suite the best of them all. AppScan is good, but very expensive and reports more false positives.

Initial Setup

Setup is straightforward.

Pricing, Setup Cost and Licensing

Licensing could be cheaper. It is expensive at present.

Other Advice

Qualys is only a good product for in-house vulnerability management programs. It is not feasible to use Qualys for client-facing consulting engagements because of the cost.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Sign Up with Email