Qualys Web Application Scanning is very complex to use, and its graphical interface is not very user-friendly. Compared to other solutions like Tenable and Rapid7, you need to navigate a lot to get the actual results out of Qualys Web Application Scanning.

If I have to search for one thing within the entire console, I have to look for it randomly. It's not very easy and very comfortable to find something. Overall, it's a very good solution, but it will be very good if the tool is more user-friendly.

The software’s pricing could be improved. When we buy a license, they charge us per asset. For instance, we have a three-year contract. However, the environment keeps growing every year. If we budget it for 200 IPs, we might need to buy a new license for another 200 IPs after six months. It has a cloud feature, yet the VMs are not enough. It would be nice if there were a cost reduction in scalability. 

One area for improvement is the application scan interface. Although recent updates have introduced some features, there's a gap in supporting standards beyond OWASP. 

Currently, there isn't an option to select or integrate other security standards directly within the platform, which limits the scope of scans to primarily OWASP. For broader compliance, custom integrations are required, which is a cumbersome process.

The platform primarily supports OWASP standards for scanning. If an organization needs to comply with other standards, such as ISO or NIST, there's no straightforward option to select these within the scanning interface. 

This limitation requires custom solutions to meet other compliance requirements, which is not ideal.

Qualys should enhance its interface to allow users to easily select and scan according to multiple standards, not just OWASP. This includes both internal and external scans, providing a more flexible and comprehensive approach to web application security.

In addition to choosing standards, there's a distinction between internal and external scanning processes that could be streamlined.

Currently, for internal scanning, specific configurations and scanner appliances need to be deployed within the network, which differs from the simpler setup for external scans. This dual process complicates the setup for comprehensive scanning coverage.

The process should be simplified to eliminate the need for two distinct setups for internal and external scans within Qualys.

When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem.

In the future, customer support could improve and the output report needs to be simplified for better understanding.

We are concerned with the frequency of their virus code updates and reporting that contains false positives. We do not think that the accuracy of the reporting is as good as it should be.  

It would be nice if Qualys would provide a solution after analyzing the data for us so we can understand what the cause of a vulnerability is and how to fix it. It would be good enough to provide something like just a download page that describes the problem and the steps to take to resolve the vulnerability.  

We are researching open source software because Qualys needs to improve their reports and the documentation for the end-users in resolving scanned issues.  

Sometimes the deployment is complicated. It is not so easy to deploy and that should be simplified. Something like Zap or other open-source software is often easier to deploy.  

The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected.

Going forward, I would like it to scan for given vulnerabilities and add-ons, then confirm whether it is an actual threat or not without the false positives.

The product should allow users to upload their payloads.

Sometimes the response time is low because the handshake fails, and then you have to re-login and start again. In the next release, Qualys should include more integration with different applications and single-sign-on protocol.

It will be good if Qualys is integrated with QRadar.

There should be better visibility into the application. 

There could be better management and faster scanning. An application may have a lot of URLs and complexity. If there are a couple of applications, that complexity multiplies. It can take three or four days to scan. That's too long. It should be maybe three or four hours. 

One area that could be improved is the a data server. That's probably what I most noticed in comparison with the Rapid7. Also, the UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs. This is not good. 

Additionally, you don't have a recording feature, where you can record your screen navigation. Like a macro, you want to create the full screen, and they don't provide a tool which can record your navigation and then do a replay.

In terms of what should be included in the next release, like I mentioned, just the UI, the user interface screen. Also, it would be good If they could improve and enrich the reports. These are the fundamental differences with Rapid7.

The product's pricing could be better.

We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error.

There should be better visibility into the application.

The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities.

The scanner reports a lot of false positives, which is something that needs to be improved.

The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.

The licensing and user permissions are a little wonky for a DevOps team to use, probably because it’s traditionally an InfoSec tool.

They should improve the performance of the security scanning. It should have better performance. 

In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.

The tool should have a live HTTP editor and more configuration options for some situations, such as handling applications that have URL rewriting enabled.

The tool should have more mature APIs for integration and automation. They should provide more flexible APIs to download reports.

The solution needs to adjust its pricing. They should make it more affordable.

In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the scanner testing.

Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.   

It's missing some zero-day patches.

Please add manual penetration testing features. 

Also I didn't like the license terms and the features were limited compared to other tools used for web applications.

Enhancing the capability to find XSS.

The GUI could be a little less complicated as it opens a lot of new windows for creating search lists, templates, reports, or for scanning purposes. 

Also, occasionally it can't even authenticate to basic web forms.