Qualys Web Application Scanning Reviews

We primarily use this solution for VM scanning. We scan more than a thousand applications.

The most valuable features are scanning analysis and reporting.

This solution also provides real-time monitoring.

The interface is user-friendly and easy to understand.

The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities.

The scanner reports a lot of false positives, which is something that needs to be improved.

We have been using Qualys for almost a year.

The stability is good.

In terms of scalability, Qualys is good.

I have not dealt with technical support yet because there are other people dealing with issues that arise. My understanding is that technical support is good.

I have also used the Nexus Vulnerability Scanner and it reports fewer false positives.

This solution was implemented before I joined the department.

There are different options available with respect to licensing.

I would rate this solution an eight out of ten.

• Ease of use and setup
• Visibility into our environment

WAS gave us visibility into our externally exposed web applications and showed us vulnerabilities that we were not aware of and did not know how to test for. We didn't need any knowledge of these vulnerabilities or how they worked to scan for them and to gain the visibility.

The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.

I have been using it for 18 months.

Scalability would be tough because of how the endpoints are organized. We did not have any issues with deployment or stability.

We had a dedicated Technical Account Manager and the support was great.

We did not previously use a different solution.

Setup of WAS is pretty straightforward and only the organization of endpoints is a bit complex.

Implementation was very simple because we were only using the cloud product and did not have any on-prem scanners.

Being able to gain visibility into our environment created a great ROI and licensing for us was competitive, but would have made it tough to scale to our whole internal environment.

We’re a Linux shop and Qualys gave us good Linux vulnerability scanning; no experience with it on MSFT products. It reports only a few glaring false-positive errors (directory ownership was a common one), and our post-processing dealt with the known exceptions we’d agreed on. The long baseline of iterative results was valuable to track changes and our rate of improvement. Access to the API let us automate its use in our CI/CD pipeline for machine images.

The biggest benefit was integrating Qualys scanning into our CI/CD pipeline to vulnerability-scan new custom machine images (for OpenStack or AWS) before deployment. We’d build the image, instantiate it, run Qualys against it, get the report, post-process it, look for new errors or changes (if any), review just those and either block deployment or update our exceptions list for next time.

The licensing and user permissions are a little wonky for a DevOps team to use, probably because it’s traditionally an InfoSec tool.

Symantec has run Qualys Enterprise against our private OpenStack cloud for at least three years; we started using the Qualys VA on AWS in 06/17.

Only those which Qualys scanning revealed in our OpenStack implementation.

Not really, we spun up multiple Qualys servers to walk through our data center cloud infrastructure on a regular basis.

Pretty poor, as usual for almost all software products now. Getting past the Tier 1 and 2 call center people is always a challenge, so throwing the company name around isn’t a bad idea.

Don’t know what, if anything, preceded Qualys at Symantec.

It took about a month to get the Qualys scan completely integrated and automated in our CI/CD pipeline, but much of that was due to licensing issues and poor API documentation, not the product installation itself.

The “bring your own licenses” model for the virtual appliance isn’t what you might think, so get a clear explanation up front before assuming you can go use virtual appliances on AWS.

Yes, the Symantec Global Security Office (GSO) did this, and I don’t know who else they looked at when the selection was made.

My team was responsible for operating the Symantec development hybrid cloud (about 6K servers in four DCs and multiple AWS regions). We use Qualys Enterprise to scan our private cloud infrastructure and machine images, and the Qualys Virtual Appliance to do custom AMI validation before deployment in AWS. I don’t recall which versions we used but we kept them up to date.

I give them a seven out of 10. The product is pretty good, but not great. It simply isn’t feasible for a tool like this to be accurate (no false negatives, few false positives), so you wind up doing a fair amount of post-processing of scan results. The profile update cycles are not what I’d like to see, so the vendor isn’t reacting to new threats anywhere near fast enough.

Also, look at other vendors, of course. Tenable was getting a lot of good buzz at Symantec last year. Be clear in advance on how much “overhead” you’re willing to pay in order to run “regular” scans on your DC machines and networks. In the cloud space, it’s somewhat better to verify the base image once, and focus on application vulnerabilities, where possible.

• OWASP Top 10 scanning
• PCI-ASV scanning

It's provided us with comprehensive, proactive, and automated vulnerability assessment.

I've used it for two years.

No issues encountered.

No issues encountered.

No issues encountered.

It's good.

It's good.

We switched due to there being a high number of false positives.

It was straightforward.

We used an integrato

• Nessus
• Acunetix
• Tripwire

My primary use case of this solution is to audit the security level of my customer's internet. We offer this as a service.

The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level. 

They should improve the performance of the security scanning. It should have better performance. 

The stability is very good. 

The scalability is very good. It is very easy to expand this solution. We scan on an IP address basis. We have credit for 250 IP addresses, and we are free to use it in our user environment, or on the cloud. 

We have around twenty users using this solution. 

Their technical support is good. We don't use them frequently because we offer that service. 

I also checked Rapid7 for internal scanning. I picked Qualys for a specific use. It's a SaaS service. We use it to audit the security level of my customer's internet. 

The initial setup is straightforward. A deployment that we did last week took four hours in order to launch it. 

I am an integrator. I work for an integration company. I do the deployments. 

Our licensing costs are on a yearly basis. We buy a group of IP addresses we can scan on a yearly basis. 

I would advise someone considering this product is to find a solution that is easy to use. We use this solution because we need to.

I would rate it an eight out of ten. Not a ten because the reporting needs improvement. It should have better automatic reporting. 

We use it for external connection testing whenever we have a customer who utilizes post scanning tools for their main message. From the scanner's perspective, we use the scanner results to do manual testing.

We are looking for automation in our scanning activities or projects, because manual won't work. So, automation is required for us. As a result, using the Qualys scanner result is helpful for us.

We are using scanners and the PCI model. We do PCI scanning because we are a PCI vendor. We are using the tool to do the scanning on whatever the latest vulnerabilities there are, and Qualys is always providing us updates. We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not.

In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.

It has been stable.

It is good and scalable.

Technical support is responsive.

We were and still are using webMethods Professional. We use both in tandem to do manual testing. That is our process of doing things.

We use the cloud instances for our setups. We have one setup, and it is on the cloud, so it is not complex. Actually, we don't have to do any set up. 

We have applications located in our different offices, and so far there set up has not been a challenge.

Qualys has an IT-based licensing based on a yearly license, which is a good way of handling it. However, in some cases, when we do the PCI scanning, the host will not like the scanning and we lose the IT license. So, this could be improved.

It is a very much stable. If you have a good amount of calender-based activities, it is good for defining frequency. You can define the calendar internally, then you can do your scanning. Though, it has some triaging features which should finally be fixed. 

There is nothing out of the box in the Qualys web application scanning module. One good thing is that it reports fewer false positives.

We use many other products along with Qualys. In a way, Qualys dashboards are good to keep track of vulnerabilities found asset-wise.

The tool should have a live HTTP editor and more configuration options for some situations, such as handling applications that have URL rewriting enabled.

The tool should have more mature APIs for integration and automation. They should provide more flexible APIs to download reports.

I have been using it for almost four years now.

Qualys is good, stability-wise.

Qualys is perfect, scalability-wise.

On a scale of 1-5 with 5 being the highest, I would rate technical support at 3.

I have used Nessus, Burp Suite, and IBM AppScan. Cost- and functionality-wise, I find Burp Suite the best of them all. AppScan is good, but very expensive and reports more false positives.

Setup is straightforward.

Licensing could be cheaper. It is expensive at present.

Qualys is only a good product for in-house vulnerability management programs. It is not feasible to use Qualys for client-facing consulting engagements because of the cost.