Qualys Web Application Scanning Archived Reviews (More than two years old)

Filter by:
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Real User
Senior Information Security Analyst at a financial services firm with 1,001-5,000 employees
Aug 16 2018

What is most valuable?

It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard. Usually, you have to purchase separate tools.

How has it helped my organization?

It gave us an idea of what lay in our network, and the vulnerabilities in it. Most IT admins are not aware of what is happening on the network. It was able to advise them of what's happening on the network. They could see the web-based… more »

What needs improvement?

The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected. Going… more »

What's my experience with pricing, setup cost, and licensing?

Licensing was based on the number of assets that you want to scan on your network. You can also do licensing on subscription. On subscription, it is easier and more flexible. You tell Qualys that you want to move from the 1000 to 2000 band… more »

Which other solutions did I evaluate?

We have been evaluating the following: Rapid7, Tenable.io, Tenable SecurityCenter, and Acunetix for web applications.
Reviewer32192
Vendor
Delivery Manager at a tech vendor with 1,001-5,000 employees
Aug 02 2018

What is most valuable?

We are using scanners and the PCI model. We do PCI scanning because we are a PCI vendor. We are using the tool to do the scanning on whatever the latest vulnerabilities there are, and Qualys is always… more »

How has it helped my organization?

We are looking for automation in our scanning activities or projects, because manual won't work. So, automation is required for us. As a result, using the Qualys scanner result is helpful for us.

What needs improvement?

In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are… more »

What's my experience with pricing, setup cost, and licensing?

Qualys has an IT-based licensing based on a yearly license, which is a good way of handling it. However, in some cases, when we do the PCI scanning, the host will not like the scanning and we lose the… more »

Which solution did I use previously and why did I switch?

We were and still are using webMethods Professional. We use both in tandem to do manual testing. That is our process of doing things.

What other advice do I have?

It is a very much stable. If you have a good amount of calender-based activities, it is good for defining frequency. You can define the calendar internally, then you can do your scanning. Though, it… more »
Find out what your peers are saying about Qualys, Acunetix, Veracode and others in Application Security. Updated: September 2020.
438,944 professionals have used our research since 2012.
Consultant
Cyber Security Consultant at a tech services company with 10,001+ employees
May 23 2018

What is most valuable?

* It's cloud-based so the installation is not so tedious. * Easily deployed. * Highly scalable. * Comprehensive reporting. Also, you can integrate your Burp Suite results and create an integrated report. The way it shows the results - threats and exploit details - makes remediation very easy. We have seen very few false positives. We found the documentation very useful, particularly the roll-out… more »

How has it helped my organization?

It definitely helps us with the remediation process as we can create different reports, whatever is required at the time.

What needs improvement?

The GUI could be a little less complicated as it opens a lot of new windows for creating search lists, templates, reports, or for scanning purposes. Also, occasionally it can't even authenticate to basic web forms.
Consultant
Deputy Manager at a tech services company with 10,001+ employees
Mar 14 2018

What do you think of Qualys Web Application Scanning?

What is our primary use case?

Cloud hosted application, and was also accessible through mobile app.

How has it helped my organization?

Dynamic features for pen testing automation, with manual.

What is most valuable?

Network scanner has good reporting, coverage was also good. In Web scanner, dashboard was good but features were limited.

What needs improvement?

Please add manual penetration testing features.  Also I didn't like the license terms and the features were limited compared to other tools used for web applications.

For how long have I used the solution?

Trial/evaluations only.
Consultant
Ex Senior Security Analyst and Onsite consultant at Paladion Networks
Mar 11 2018

What is most valuable?

QualysGuard web-based scanner is very useful for performing external penetration and PCI scans from remote locations.

How has it helped my organization?

In order to finish a project, a penetration test in our company is on average five days, including documentation. Without this tool, the testing would take five days! By using QualysGuard, we are able… more »

What needs improvement?

In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the scanner testing.

What's my experience with pricing, setup cost, and licensing?

It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders. Try the free trial of the product to understand the basic… more »

What other advice do I have?

We are an institutional partner of QualysGuard and buy bulk licenses.

Which other solutions did I evaluate?

We did try Acutenix, but the quality of results and user interface of Qualys was excellent in comparison.
Vendor
Sr. Director, Cloud Platform Engineering at a tech vendor with 5,001-10,000 employees
Jun 30 2017

What is most valuable?

We’re a Linux shop and Qualys gave us good Linux vulnerability scanning; no experience with it on MSFT products. It reports only a few glaring false-positive errors… more »

How has it helped my organization?

The biggest benefit was integrating Qualys scanning into our CI/CD pipeline to vulnerability-scan new custom machine images (for OpenStack or AWS) before deployment. We’d… more »

What needs improvement?

The licensing and user permissions are a little wonky for a DevOps team to use, probably because it’s traditionally an InfoSec tool.

What's my experience with pricing, setup cost, and licensing?

The “bring your own licenses” model for the virtual appliance isn’t what you might think, so get a clear explanation up front before assuming you can go use virtual… more »

Which solution did I use previously and why did I switch?

Don’t know what, if anything, preceded Qualys at Symantec.

What other advice do I have?

My team was responsible for operating the Symantec development hybrid cloud (about 6K servers in four DCs and multiple AWS regions). We use Qualys Enterprise to scan our… more »

Which other solutions did I evaluate?

Yes, the Symantec Global Security Office (GSO) did this, and I don’t know who else they looked at when the selection was made.
Vendor
Senior Security Systems Engineer at a computer software company with 501-1,000 employees
Aug 31 2016

What is most valuable?

* Ease of use and setup * Visibility into our environment

How has it helped my organization?

WAS gave us visibility into our externally exposed web applications and showed us vulnerabilities that we were not aware of and did not know how to test for. We didn't need any knowledge of these vulnerabilities or how they worked to scan for them and to gain the visibility.

What needs improvement?

The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.

Which solution did I use previously and why did I switch?

We did not previously use a different solution.
Vendor
Module Lead with 1,001-5,000 employees
Aug 31 2016

What is most valuable?

There is nothing out of the box in the Qualys web application scanning module. One good thing is that it reports fewer false positives.

How has it helped my organization?

We use many other products along with Qualys. In a way, Qualys dashboards are good to keep track of vulnerabilities found asset-wise.

What needs improvement?

The tool should have a live HTTP editor and more configuration options for some situations, such as handling applications that have URL rewriting enabled. The tool should have more mature APIs for… more »

What's my experience with pricing, setup cost, and licensing?

Licensing could be cheaper. It is expensive at present.

Which solution did I use previously and why did I switch?

I have used Nessus, Burp Suite, and IBM AppScan. Cost- and functionality-wise, I find Burp Suite the best of them all. AppScan is good, but very expensive and reports more false positives.

What other advice do I have?

Qualys is only a good product for in-house vulnerability management programs. It is not feasible to use Qualys for client-facing consulting engagements because of the cost.
Vendor
Information Security Manager at a comms service provider with 1,001-5,000 employees
Nov 05 2015

What do you think of Qualys Web Application Scanning?

What is most valuable?

OWASP Top 10 scanning PCI-ASV scanning

How has it helped my organization?

It's provided us with comprehensive, proactive, and automated vulnerability assessment.

For how long have I used the solution?

I've used it for two years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service: It's good. Technical Support: It's good.

Which solution did I use previously and why did I switch?

We switched due to there being a high number of false positives.

How was the initial setup?

It was…
Vendor
Info-Security Consultant at a financial services firm with 1,001-5,000 employees
Nov 02 2015

What do you think of Qualys Web Application Scanning?

What is most valuable?

It protects against zero-day vulnerabilities, like Heartbleed.

What needs improvement?

It's missing some zero-day patches.

For how long have I used the solution?

I've used it for a few months.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service: It's high. Technical Support: It's high.

Which solution did I use previously and why did I switch?

I used Rapid7 NeXpose in another shop.

How was the initial setup?

The product was already installed when I got there, I just added more scanning jobs…
Consultant
Security Analyst at a tech services company with 1,001-5,000 employees
Jun 16 2015

What do you think of Qualys Web Application Scanning?

What is most valuable?

WAS and being able to integrate Selenium IDE to automate the login process was most helpful.

How has it helped my organization?

Scheduling feature allows to scan on the weekends and holidays in a planned way.

What needs improvement?

Enhancing the capability to find XSS.

For how long have I used the solution?

I've used it for six months.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service: I've never had the chance to interact. Technical Support: I've never had the chance to interact.

Which

Vendor
Security Expert at a financial services firm with 1,001-5,000 employees
Mar 14 2013

What do you think of Qualys Web Application Scanning?

v2 Review: Premature product - not a proper product to be used for PCI approved web scanning Having done numerous penetration tests using various manual and automated tools, today we are focusing on a new tool called QualysGuard Web Application Scanning v2.4.1.  In the process of doing a pentest, we often use a quality automated tool to check for standard issues while we focus on the much more difficult issues of the testing.  As this reduces the time it takes to do a full test, allows us to work more efficiently, and besides who wants to waste time doing monotonous simplistic checking.  In this regard, I have used AppScan quite extensively, and HP WebInspect as well, and both are very good tools for the most part.  They help out on the basic checks quite a bit. Quite recently, I was…

What is Qualys Web Application Scanning?

Qualys Web Application Scanning (WAS) is a cloud service that provides automated crawling and testing of custom web applications to identify vulnerabilities including cross-site scripting (XSS) and SQL injection. The automated service enables regular testing that produces consistent results, reduces false positives, and easily scales to secure a large number of websites. Proactively scans websites for malware infections, sending alerts to website owners to help prevent black listing and brand reputation damage.
Also known as
Qualys WAS
Qualys Web Application Scanning customers
BskyB, Cartagena, ClearPoint Learning Systems, Connect Group, du, Fortrex Technologies, HBOR, HDI, Highlights for Children, The Lithuanian State Enterprise Centre of Registers, City of Miami Beach, Microsoft, MidlandHR, MSCI Inc., Northern Arizona University, Ofgem, Olympus Europa, PhoneFactor, RTL Nederland, ThousandEyes, VGZ Organisatie B.V.
BUYER'S GUIDE
Download our free Application Security Report and find out what your peers are saying about Qualys, Acunetix, Veracode, and more!