it_user254973 - PeerSpot reviewer
Manager Information Security at a healthcare company with 10,001+ employees
Real User
Download
There are some stability issues with reporting, but it's straightforward to implement.

What is most valuable?

Vulnerability management.

How has it helped my organization?

It has helped to automate the vulnerability management program, increasing the security posture and helped us to identify the security risks in our infrastructure.

What needs improvement?

Web application security model needs some work.

For how long have I used the solution?

I've been using it for four years, including including VM, PCI, WAS and MDS features.

Buyer's Guide
Qualys VMDR
April 2024
Free Report: Qualys VMDR Reviews and More
Learn what your peers think about Qualys VMDR. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
DOWNLOAD NOW
769,334 professionals have used our research since 2012.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

There's been a few times, related to reporting, that we've had issues, but overall it's stable.

How are customer service and support?

Customer Service:

Excellent, the Qualys support team always helps on a priority basis.

Technical Support:

Excellent!

Which solution did I use previously and why did I switch?

No previous solution was used.

How was the initial setup?

It was straightforward.

What about the implementation team?

It was done in-house.

Which other solutions did I evaluate?

No other options were looked at.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
it_user5130 - PeerSpot reviewer
Security Expert at a financial services firm with 1,001-5,000 employees
Vendor
Makes many promises but in order to do so, Qualys requires the client to provide a backdoor to the system.

The QualysGuard Private Cloud Platform (QG PCP) makes many promises, one of which is that vulnerability scan data can be hosted by a private cloud platform in a client's data center and under the client's control. If taken at their word, this may seen promising, but the reality is that Qualys still will have to manage this platform remotely. By doing so, they will have access to this data remotely anyway and can pull it down to their site as needed. Needless to say, Qualys requires the client to provide a backdoor to the system.

The Qualys PCP equipment is leased and never sold to the customer. There are many legal issues with this which allows them to access their equipment. They require the customer to give them remote access in order for them to manage it remotely. That is a requirement and not an option. They keep it a big secret how it is managed.

Remote Access

What kind of remote access to the QG PCP do they require?

1. Persistent iVPN tunnel
2. VPN remote access account


Qualys still has the means to pull the data back to Qualys through SSH/SCP even though it is hosted on a customer site. In fact, Qualys does not allow the customer to monitor the network traffic being sent back to Qualys. Such requests were flat out refused during a security assessment. What they pull back is their business and the customer has no right to know.

Network Sniffer

Network monitoring had to be done outside of the QG PCP as Qualys did not allow internal network sniffing. This traffic analysis did show a few weaknesses.

1. Emails were being sent to email server UNENCRYPTED. Yes, one could see the message being sent as well as who the recipients were. Emails were being back to Qualys through the Internet. A lot of sensitive information were sent unencrypted including server names, configuration, scripts, running jobs, listening ports, full internal DNS names.

2. Internet connections from Indonesia were seen accessing the QG PCP even though it was supposed to be in a controlled access network in a data center


3. A lot of failed DNS requests to www.qualys.com and other qualys subdomains, looks like the system has not been fined tuned to be hosted at a client site. The interesting thing is that it tries to do windows updates on its own by accessing the Internet.


4. Undocumented protocols used by the Qualys PCP; namely AppleTalk, CMIP-Man, and Feixin


5. syslog messages sent across the network unencrypted.

Firewall Rule Analysis

Firewall rule analysis shows that SSH is allowed into the platform through VPN firewall as well as HTTP(S) protocols.

Internet Access

The Qualys PCP itself does access network traffic in and out of the controlled access network environment as seen in the diagram below.

1. The Qualys PCP Service Network requires outbound communication for

a. NTP – Time Synchronization

b. DNS – Name Resolution

c. SMTP – Email

d. WHOIS – External Internet

e. Daily Vulnerability Updates - External Internet.

WHOIS pulls information from the Internet and Daily Signature Updates are pulled from Qualys through the Internet on port 443. In effect, the PCP is pulling information from Qualys through the Internet to retrieve updates. A man-in-the-middle attack could intercept the update and instead return a malware update to the Qualys PCP provided that a vulnerability exists in the platform.

2. The physical scanners communicate to the Qualys PCP. This requires that inbound port 443 be opened on the PCP. Physical scanners in the DMZ also need to communicate to the PCP on port 443. Access to the PCP from the DMZ increases the risk.

3. Qualys SOC accesses the PCP through iVPN and VPN connections from the Internet for maintenance and support.

Virtual Scanners

A sniffer placed on a virtual scanner showed that it chose to use SSLv3, which is deprecated, by default on some servers to communicate to the Qualys PCP. In particular, it uses SSLv3 with RC4-MD5. MD5 is obsolete. Qualys documentation claims they use TLSv1 and the latest modern secure protocols.

Application Analysis

Perl API

Application analysis was done by running Perl scripts against the qualysapi server and testing for vulnerabilities. The server itself was found to be vulnerable by accepting login credentials for API requests via base64 encoding and passed through plaintext HTTP. This could result of loss and capture of Qualys Admin credentials which could result in access to vulnerability scan results.


Web Application
The Qualys Web Application tests resulted in a number of vulnerabilities.

Qualys PCP Internal

Additional vulnerabilities were found inside the Qualys PCP infrastructure itself. It was found to be very insecure.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Qualys VMDR
April 2024
Free Report: Qualys VMDR Reviews and More
Learn what your peers think about Qualys VMDR. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
DOWNLOAD NOW
769,334 professionals have used our research since 2012.
JS
GM Network Information Security at a tech services company with 1,001-5,000 employees
Real User
Download
Helpful support and scalable
Pros and Cons
  • "Qualys VM had a recent upgrade and the newer version is supporting the cloud."
  • "The reporting and dashboards could improve in Qualys VM. However, they have improved since the previous versions."

What is most valuable?

Qualys VM had a recent upgrade and the newer version is supporting the cloud.

What needs improvement?

The reporting and dashboards could improve in Qualys VM. However, they have improved since the previous versions.

For how long have I used the solution?

I have been using Qualys VM for approximately 10 years.

What do I think about the scalability of the solution?

Qualys VM is highly scalable.

How are customer service and support?

The technical support was very good from Qualys VM.

What was our ROI?

Qualys VM helps to identify the vulnerabilities on a timely basis. It helps the companies to upgrade their networks and apply patches. In the latest version, it has added the patching capability, it's very useful.

What other advice do I have?

My advice to others is this is one of the top solutions in its category. However, they can evaluate many solutions to see for themselves. 

I would recommend this solution to others to implement it in their network.

I rate Qualys VM an eight out of ten

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
it_user254613 - PeerSpot reviewer
Security Consultant at Cyber Intelligence Sdn Bhd
Consultant
Download
The reporting features needs to be improved, but you don't need to spend a lot of time on the deployment.

What is most valuable?

The fact that it's on the cloud, so there's no configuration whatsoever on my physical machine except for the VM scanner.

How has it helped my organization?

It now takes less time to run a vulnerability assessment for our client. I do not have to bring two laptops anymore to my clients sites.

What needs improvement?

Maybe the reporting features. It is too granular, so that if someone new wants to get familiar with it, they will have a hard time. A few more tutorials or guide on screen would also be appreciated.

For how long have I used the solution?

I've been using the consultant edition for two years.

What was my experience with deployment of the solution?

During the internal scanner deployment, but the issue was mostly not the product, but more the network architecture of our client.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

9/10

Technical Support:

9/10

Which solution did I use previously and why did I switch?

Rapid 7 Nexpose. To use the software, it takes a whole laptop just to run it, and the results have too much redundancy. Additionally, the scan rate is very slow compared to Qualys, and furthermore it is too expensive when compared to Qualys.

How was the initial setup?

It's very straightforward. Basically you can scan anything external/internet facing within five minutes. For internal scans you have to deploy the internal scanner which can be done in five minutes if the network architecture is not too complex.

What about the implementation team?

It was done In-house, but the help we get from their Singapore support team is awesome.

Which other solutions did I evaluate?

  • Nessus
  • Nexpose

What other advice do I have?

Use it. It is a great product. Many people are sceptical that their scan results are in the cloud. But if you want something affordable and that works like a charm, go for Qualys. Less headaches and easy to achieve ROI as you don't spend much on the deployment or maintenance.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: We have been doing some road-shows, & conferences in Malaysia to introduce Qualys.
Flag as inappropriate
PeerSpot user
MM
Director for global support at a tech vendor with 1,001-5,000 employees
Real User
Download
A comprehensive, scalable, and easy-to-deploy platform with a nice UI
Pros and Cons
  • "The vulnerability management feature is what I used the most. It is a good SaaS product. It is easy to use. It has a nice UI where you can see all the assets and vulnerabilities."
  • "Certain integration factors between different options could be improved."

What is our primary use case?

It is for vulnerability management. I used it in my previous company, and I also used it for my home network.

It is a SaaS platform. So, there is always the latest version.

What is most valuable?

The vulnerability management feature is what I used the most. It is a good SaaS product. It is easy to use. It has a nice UI where you can see all the assets and vulnerabilities.

What needs improvement?

Certain integration factors between different options could be improved.

For how long have I used the solution?

I worked with this solution for two years. 

What do I think about the stability of the solution?

Its stability and performance are good.

What do I think about the scalability of the solution?

People use it for hundreds and thousands of assets, so it is definitely scalable.

How are customer service and support?

I used to run technical support there. So, I didn't need to go for support.

How was the initial setup?

It is easy and straightforward to set it up. It takes 5 to 10 minutes to set up a new asset.

What's my experience with pricing, setup cost, and licensing?

I used to work there, so I never paid for the product. As an employee, we get a lifetime license for personal use, and that's what I'm using.

It is a comprehensive platform, so there is a lot more to it. There could be other solutions that are probably a little bit cheaper, but it depends on what people need. Different people have different needs. It offers many things on the same platform. If you add all the things up, it should be cheaper, but I have not done any analysis specifically.

What other advice do I have?

It is a good product. I would recommend it to others. It had whatever I needed for my personal use case. There are a lot of features that I have not explored. Some of the features are applicable for corporate networks, and they can't be used for personal use cases.

I would rate it a nine out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
HS
Senior Vice President | Information Security at a financial services firm with 1,001-5,000 employees
Real User
Download
Very intuitive, easy going and simple to use
Pros and Cons
  • "Intuitive and easy to use."
  • "Reports were lacking somewhat on the customization side."

What is our primary use case?

I used this solution for one of my clients and the primary use case was for the compliance mode and scanning. We are customers of Qualys and I am senior vice president information security.

What is most valuable?

I found the solution quite intuitive and easy going. I have worked with other similar tools and found this simple to use. 

What needs improvement?

I felt hindered sometimes within reports in that they were lacking somewhat on the customization side in terms of making use of the data. The cloud user interface could be a little more responsive. It was a click and then a wait. 

For how long have I used the solution?

I used this solution recently for about five months. 

What do I think about the stability of the solution?

There were a couple of small bugs but the solution was stable. 

What other advice do I have?

I would recommend this solution and rate it a nine out of 10. 

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
PeerSpot user
ITSM & AntiFraud Consultant with 51-200 employees
Consultant
Download
Vulnerability management is the most valuable feature but it would be good if they could provide an internal computing appliance.
Pros and Cons
  • "Vulnerability management is the most valuable one and it’s a must in every organization."
  • "One of the biggest issues from the clients' perspective is that all Qualys computing is on the cloud."

What is most valuable?

From my point of view all the Qualys products are valuable. From the clients' perspective, I believe vulnerability management is the most valuable one and it’s a must in every organization. After the client realize the risks from outside, and that the vulnerabilities are real, a proper compliance policy implementation using Qualys Policy Compliance (I'm using v8.4), the second product needed in any infrastructure, can be done. If the organization has public websites, Web Application Scanning (I'm using v4.1) is the third valuable product needed in an organization.

How has it helped my organization?

After the first scan of the servers at all the POCs QualysGuard discovered many vulnerabilities that are grouped from low to high impact. The ability to use asset management to scan the grouped servers from the vulnerability management feature with the policy compliance engine helps the security officer to perform the daily/monthly tasks faster and make them more organized.

What needs improvement?

One of the biggest issues from the clients' perspective is that all Qualys computing is on the cloud.

As last month ( this is when I found out) Qualys offers a On-Premise instalation for it's customers.

https://www.qualys.com/enterprises/qualysguard/pri...

The issue with the private cloud is that is costs very much for a small firm.


For how long have I used the solution?

I have been using QualysGuard since 2012, and I have followed the certification from Qualys in class. After that, I implemented it for one of our clients, and did some POCs using Qualys. In the last month I had another PoC with Qualys and the client looks interested.

What was my experience with deployment of the solution?

need support from sysadmin to deploy the ovf file.

What do I think about the stability of the solution?

Qualys appliances are based on Linux OS, and they are very stable. I didn’t encounter any stability issues.

What do I think about the scalability of the solution?

The big advantage of using the virtual appliances is that you can increase the allocated hardware if you need more resources.

How are customer service and technical support?

Customer Service:

The customer service level is very high. All the requests made to the reseller were fulfilled in a very short time.

Technical Support:

We didn’t need to use Qualys technical support as the product was very stable, and our knowledge of the product was enough to fulfil all the clients needs.

Which solution did I use previously and why did I switch?

I have used both Nessus and Rapid 7 Nexpose. I am working as a security consultant and I need to know the big players so I could present to my clients the pluses and minuses of the products they might choose.

How was the initial setup?

Qualys initial setup is straightforward and if you follow the manual you don’t have any problems. You receive the credentials, login to the Qualys website, download the virtual appliance, configure the IP, and, after defining the credentials and the assets, you can start scanning your environment. For the hardware appliance you have to connect it to the network and after the configuration you can start the scanning.

What about the implementation team?

I was part of the consultant team that implemented this solution to the client. We didn't have any complaints from him, and he used us to implement the rest of Qualys' components.

What's my experience with pricing, setup cost, and licensing?

Usually every implementation is different and the quote is in function of number of assets.

Which other solutions did I evaluate?

The clients are usually evaluating the top three vendors from Gartner. From my clients side, the vendors used in evaluation were Nexpose, McAfee Vulnerability Manager and Nessus. Also I have tried the open source VM OpenVAS

What other advice do I have?

Follow the vendor provided steps, and you will not have any problems during the initial implementation. If you don’t have experience with server policies, use a consultant that will be able to identify your business needs.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a QualysGuard partner
Flag as inappropriate
PeerSpot user
Alireza Ghahrood - PeerSpot reviewer
Alireza GhahroodConsultant & Instructor -Cyber Security,GovernanceRIskCompliance (CISO as a Services) at Independent
Top 10Real User
Report as inappropriate

Thanks 4 share

Like(0)Reply
See all 2 comments
RJ
CTO Latam at a tech services company with 201-500 employees
MSP
Download
A powerful virtual scanner appliance that scans batch files, BIT files, and compact files.
Pros and Cons
  • "This is one of the best products I have worked with so far. I like the power of Qualys, and it's a better solution because you can scan a compact file, a BIT file, or batch files. The product already knows what's happening inside, and you don't need to expand the package. Tenable will do the same thing, but you need to have a package issuance claim. With Qualys, we can immediately understand the file, even a compact file. If there's some kind of discovery or incident, you will know what happened in the environment."
  • "Integration could be better. When you think about scanning, it's not used just with this product alone but with other Qualys products. If you think about the bundle, the product itself is good. But integration with other products and packages has space for improvement. They should also offer a better price for bundles."

What is our primary use case?

We use Qualys Virtual Scanner Appliance for the big scan. 

What is most valuable?

This is one of the best products I have worked with so far. I like the power of Qualys, and it's a better solution because you can scan a compact file, a BIT file, or batch files. The product already knows what's happening inside, and you don't need to expand the package. Tenable will do the same thing, but you need to have a package issuance claim. With Qualys, we can immediately understand the file, even a compact file. If there's some kind of discovery or incident, you will know what happened in the environment. 

What needs improvement?

Integration could be better. When you think about scanning, it's not used just with this product alone but with other Qualys products. If you think about the bundle, the product itself is good. But integration with other products and packages has space for improvement. They should also offer a better price for bundles.

For how long have I used the solution?

I have been using Qualys Virtual Scanner Appliance since I joined my company three years ago.

What do I think about the stability of the solution?

Qualys Virtual Scanner Appliance is very stable.

What do I think about the scalability of the solution?

Qualys Virtual Scanner Appliance is scalable.

How was the initial setup?

The initial setup is straightforward. You only need one technician to deploy and maintain this solution. However, it really depends on the size of the customer's environment. 

What's my experience with pricing, setup cost, and licensing?

Qualys Virtual Scanner Appliance isn't expensive right now. But the price for their product bundles could be better.

What other advice do I have?

I would advise potential users to look into the environment and understand what they want to do before implementing this solution. They must understand how to communicate with the network and what kind of network they want to put together. Just read the manual first. 

On a scale from one to ten, I would give Qualys Virtual Scanner Appliance a nine.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
Buyer's Guide
Download our free Qualys VMDR Report and get advice and tips from experienced pros sharing their opinions.
Updated: April 2024
DOWNLOAD NOW
Buyer's Guide
Download our free Qualys VMDR Report and get advice and tips from experienced pros sharing their opinions.
Buyer's Guide
Qualys VMDR
April 2024
DOWNLOAD NOW
Quick Links
Learn More: Questions: