Qualys Web Application Scanning Reviews

I use Qualys Web Application Scanning for various customers both within and outside the country.

Our clients are mainly from the education and banking sectors, where we support them with financial and backend services.

Qualys Web Application Scanning (WAS) is a DAST tool. It stands for Dynamic Application Security Testing. Unlike SAST (Static Application Security Testing) tools, WAS doesn't examine source code. Instead, it interacts with your web application like a real user, analyzing its responses to identify vulnerabilities.

Qualys WAS also integrates with WAF (Web Application Firewall) solutions, including potentially your company's standard WAF or Security Assertion Markup Language (SAML) interface.

The vulnerability management feature is a strong one. And also the patch management feature.

Qualys integrates with Endpoint Detection and Response (EDR) for malware detection. EDR continuously monitors endpoints and takes snapshots of all of the endpoints and assets. Any changes are collected and sent to the cloud every four hours.

EDR also provides other capabilities like incident response and campaign identification. If malware is detected, the user can get remediation steps and send alerts to the system. It also provides forensic reports if there is a need for more detailed reports from the endpoints. 

Qualys is easy to use as there's no hardware to manage because it's fully cloud-based. Once the platform is installed, you can access all of our services. 

The application product integration, especially integrating Qualys with the DevOps environment like Jenkins, is straightforward. It facilitates continuous testing and integration, allowing us to perform scans on a weekly or monthly basis efficiently.

One area for improvement is the application scan interface. Although recent updates have introduced some features, there's a gap in supporting standards beyond OWASP. 

Currently, there isn't an option to select or integrate other security standards directly within the platform, which limits the scope of scans to primarily OWASP. For broader compliance, custom integrations are required, which is a cumbersome process.

The platform primarily supports OWASP standards for scanning. If an organization needs to comply with other standards, such as ISO or NIST, there's no straightforward option to select these within the scanning interface. 

This limitation requires custom solutions to meet other compliance requirements, which is not ideal.

Qualys should enhance its interface to allow users to easily select and scan according to multiple standards, not just OWASP. This includes both internal and external scans, providing a more flexible and comprehensive approach to web application security.

In addition to choosing standards, there's a distinction between internal and external scanning processes that could be streamlined.

Currently, for internal scanning, specific configurations and scanner appliances need to be deployed within the network, which differs from the simpler setup for external scans. This dual process complicates the setup for comprehensive scanning coverage.

The process should be simplified to eliminate the need for two distinct setups for internal and external scans within Qualys.

I've been working with it for about a year.

Based on my experience, it's highly stable. I haven't encountered significant issues or disruptions in service, indicating a strong and reliable platform.

I would rate the stability a nine out of ten. 

Qualys, being cloud-based, offers excellent scalability. Whenever we need to scale up, we can easily configure settings in the backend. And add licenses for more users.

It allows for easy adjustments to your security needs without the need for physical hardware, facilitating seamless scaling up or down according to your organization's requirements.

In my team, we have a focused group working with Qualys. However, our organization serves a broader range of clients, including small to medium-sized businesses, leveraging Qualys for their security needs.

Qualys provides a dedicated support channel for addressing any issues that arise. The process of raising support tickets is straightforward, and in my experience, the response has been efficient and helpful in resolving issues. 

Positive

I'm aware of Fortify On Demand but haven't used it. Our company only holds licenses for Fortify SaaS and DaaS.

The setup varies based on whether the scanning is for internal or external purposes. Each has its specific requirements and configurations, such as deploying scanner appliances for internal scans. 

Therefore, it's not just a single score; the complexity can range, especially if internal scans are considered, which require more setup.

Qualys offers two deployment methods for web application scanning: internal and external. For internal scans, a scanner can be installed on your network to scan internal applications. 

For external scans, Qualys utilizes cloud-based scanners to scan publicly accessible web applications without requiring any installation on your end.

The deployment time can vary but generally, it doesn't take more than one to two hours to get up and running, depending on the specifics of the setup required.

From my perspective, it is a budget-friendly option. Qualys offers good value for the features and protection it provides. The pricing seems reasonable, considering the comprehensive security solutions it offers.

For those considering Qualys, it's important to understand how it fits into their overall security strategy, especially regarding web application and firewall (WAF) security. 

It's crucial to grasp the full capabilities of Qualys to make an informed decision. I'd advise understanding the product thoroughly to see if it aligns with your security needs.

Overall, I would rate the solution a nine out of ten. 

We have been using Qualys Web Application Scanning for automated web architecture scanning in an enterprise environment.

The solution integrates well with our database and asset management, providing a detailed framework that connects products and shares knowledge across them.

The most valuable features are the scheduled scanning, detailed reports, asset management, the knowledge database, and the overall product framework. The integration with other tools is also a significant advantage.

The authenticated scanning feature could be improved by adding support for real-time scanning tokens and authorization tokens. For example, after sessions, having tokens valid for applications allowing automated authenticated scanning, similar to what Burp offers with proxy support, would be beneficial.

The enterprise-level deployment was scalable and supported our business growth well.

We were looking at alternatives like Burp and Acunetix, particularly from the security research side, for better results and accuracy.

Pricing is a significant consideration. Although the product is good for certain details and automated processes, it may not be as cost-effective for some tasks.

We evaluated other solutions like Burp and Acunetix.

For specific web applications, Burp may provide better results, however, for integration of tools, Qualys Web Application Scanning is a good choice.

I'd rate the solution eight out of ten.

We use the solution alongside others for static scanning. It's used for endpoint scanning. 

The monitor's ability to read the reports, or to do very detailed reports is great. It's good at looking at the different vulnerabilities. Rarely are there security loopholes. It can also suggest ways to mitigate risks and vulnerabilities. 

There's a lot of great reference material. 

The integration is great. It works with many different products. 

There could be better management and faster scanning. An application may have a lot of URLs and complexity. If there are a couple of applications, that complexity multiplies. It can take three or four days to scan. That's too long. It should be maybe three or four hours. 

We've been using the solution for two years. 

It's a stable product. There are no bugs or glitches and it doesn't crash or freeze. The solution is reliable. 

It leverages the cloud. One of the upsides of that is the scalability that is possible. 

We have about 500 to 600 people on the solution currently.

Technical support is very good whenever we send them a message. They will schedule a call and then they will check in with us until the issue's resolved or until we understand the entire problem and they clarify issues. They're very quick as well.

The initial setup, due to the fact that it is the cloud, is very easy. It's a SaaS solution. We don't have to install anything in order to get going. You are on it right away. There is no deployment time to get through. 

Since it's so quick and immediate, you don't need a big team to get it of the ground. 

We were able to handle the implementation ourselves. It's not hard. You don't need consultants or integrators.

We have seen an ROI and my understanding is that it is pretty good. 

I don't directly deal with the licensing aspect of the product. 

I'd recommend the solution to others. We haven't had any issues after two years of working with it. 

I'd rate the solution eight out of ten.

My main use of Qualys WAS is for multifactor authentication for web and mobile applications.

Qualys WAS' most valuable features are the navigation flow of the UI and the option for a different layer of security (identification and operation through email and mobile).

Sometimes the response time is low because the handshake fails, and then you have to re-login and start again. In the next release, Qualys should include more integration with different applications and single-sign-on protocol.

I've been using Qualys Web Application Scanning for a year and a half.

Qualys WAS is stable unless we have a breach.

Qualys WAS is scalable.

Qualys' technical support is good but could improve its resolution speed.

Positive

Previously, I used CA Identity Solutions by Broadcom, which had easier integration, more options for MFA, and biometric options.

The initial setup was complex and took about three months to deploy. I would rate the setup experience as four out of five.

We used a vendor team.

Qualys WAS' pricing is competitive.

I would recommend getting the POC done before implementing WAS, especially if there will be a lot of APIs involved in developing the product. Look at how the endpoint security works when the APIs run with a different channel, like web and mobile applications. I would give Qualys WAS a rating of six out of ten.

The primary use case includes scanning the web applications that are public facing.

The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera.

There should be better visibility into the application.

Our customers have been using this solution for more than three years now.

It is a stable solution.

It is a cloud-based solution, so it is easy to scale.

We work with enterprise-level clients with over 2500 endpoints.

The customer service and support are good.

Positive

I would say Qualys is on the better side. It's more about the performance and the quality of the product because it's been around for a long time.

The initial setup is relatively easy. The installation process is quite straightforward, making it user-friendly.

The duration of deployment varies depending on the complexity of the customer's environment and their implementation status. We ensure to accommodate the customer's preferred implementation pace.

We normally purchase an annual license. There are additional costs. From Qualys, it's for the license and maintenance, which includes patches and stuff like that. Additionally, we have our own service delivery costs.

Qualys is a stable and reliable solution. It has been around for a long time.

Overall, I would rate the solution an eight out of ten. There is scope for improvement. It is still an early technology.

The primary use case includes scanning the web applications that are public facing.

The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera.

There should be better visibility into the application. 

Our customers have been using this solution for more than three years now.

It is a stable solution.

It is a cloud-based solution, so it is easy to scale. 

We work with enterprise-level clients with over 2500 endpoints. 

The customer service and support are good.

Positive

I would say Qualys is on the better side. It's more about the performance and the quality of the product because it's been around for a long time.

The initial setup is easy. 

The time taken for implementation depends on the customer's environment. It could take around a month, depending on the module. 

We have a team of two to three people to implement at the enterprise level. Moreover, it is easy to maintain. 

We normally purchase an annual license. There are additional costs. From Qualys, it's for the license and maintenance, which includes patches and stuff like that. Additionally, we have our own service delivery costs.

I'm familiar with all of the Qualys-based products because we partner with Qualys, so I have a local contact in New Zealand who helps me with all the technical information.

Moreover, I'm a pre-sales specialist, so I recommend the solution to our potential customers and then we implement through another team for customers.

Qualys is a stable and reliable solution. It has been around for a long time.

Overall, I would rate the solution an eight out of ten. There is scope for improvement. It is still an early technology. 

Our customers use the solution to audit their web-application before releasing them to the Internet.

Licensing is the most valuable. Qualys provides the best licensing for companies. It is the best product for the development purposes of web applications. The product has a lot of integrations.

The product should allow users to upload their payloads.

I have been using the solution for three years.

I rate the product’s stability an eight out of ten.

I rate the product’s scalability a nine out of ten. 

We did not face any issues while deploying the solution. The product provides good documentation for deployment.

The product has a very good licensing model.

I am using the latest version of the solution.

Tenable makes us wait 90 days to delete the test web application, and Rapid7 does not allow us to delete it as well as  Acunetix (once a year).
I will recommend the solution to others. Overall, I rate the solution an eight out of ten.

We use the solution for scanning and vulnerability management.

The product prevents possible vulnerabilities in our network.

It will be good if Qualys is integrated with QRadar.

I have been using the solution for three years.

The tool is stable.

The tool is scalable since it is on the cloud. We have 60 users.

The support is moderately good. Sometimes, the team responds on time. Sometimes, it takes time. The support could be faster.

I have used many other tools. In some cases, I prefer other tools because they give better visibility into the vulnerabilities. In general, Qualys is good.

The initial setup was super easy because it is cloud-based. We use it internally. The installation took two days. We had to improve the tools and create the tags and assets. Two or three engineers can deploy the product. The product is easy to maintain.

I integrate Qualys and QRadar. QRadar is for SCM. It helps centralize the management of the network. It provides good visibility of Qualys. Qualys is a good product. There are better tools in the market. However, I recommend Qualys to others. Overall, I rate the product an eight out of ten.