We performed a comparison between Qualys Web Application Scanning and SonarQube based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The vulnerability management feature is a strong one. And also the patch management feature."
"The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level."
"The product prevents possible vulnerabilities in our network."
"We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not."
"You can integrate your Burp Suite results and create an integrated report. Also, the way it shows the results - threats and exploit details - makes remediation very easy."
"It is a cloud-based solution, so it is easy to scale."
"With our vulnerabilities under control, it's putting our services in compliance and minimizing our risk for exposure."
"Key features include: Cloud-based, so the installation is not so tedious. Easily deployed. Highly scalable. Comprehensive reporting."
"Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
"Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."
"The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper."
"There is a free version."
"The solution has a plug-in that supports both C and C++ languages."
"We advise all of our developers to have this solution in place."
"This solution has the capability to analyze source code in almost all the languages in the market."
"The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools."
"The reporting contains too many false positives."
"There should be better visibility into the application."
"The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected."
"In certain cases, this product does have false positives, which the company should work on."
"The pricing does not seem to be competitive."
"The GUI could be a little less complicated as it opens a lot of new windows for creating search lists, templates, reports, or for scanning purposes."
"The software’s pricing could be improved."
"They should try to include business logic vulnerabilities in the scanner testing."
"It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect."
"The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages."
"We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."
"There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
"In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."
"For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler."
"During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit."
"I am not very pleased with the technical debt computation."
More Qualys Web Application Scanning Pricing and Cost Advice →
Qualys Web Application Scanning is ranked 19th in Application Security Tools with 31 reviews while SonarQube is ranked 1st in Application Security Tools with 108 reviews. Qualys Web Application Scanning is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Qualys Web Application Scanning writes "A stable solution that can be used for infrastructure vulnerability scanning and web application scanning". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Qualys Web Application Scanning is most compared with OWASP Zap, Veracode, PortSwigger Burp Suite Professional, Fortify WebInspect and Tenable.io Web Application Scanning, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Snyk. See our Qualys Web Application Scanning vs. SonarQube report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.