Coming October 25: PeerSpot Awards will be announced! Learn more

Qualys Web Application Scanning OverviewUNIXBusinessApplication

Qualys Web Application Scanning is #10 ranked solution in AST tools and #13 ranked solution in application security solutions. PeerSpot users give Qualys Web Application Scanning an average rating of 7.8 out of 10. Qualys Web Application Scanning is most commonly compared to Tenable.io Web Application Scanning: Qualys Web Application Scanning vs Tenable.io Web Application Scanning. Qualys Web Application Scanning is popular among the large enterprise segment, accounting for 66% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 21% of all views.
Buyer's Guide

Download the Application Security Tools Buyer's Guide including reviews and more. Updated: October 2022

What is Qualys Web Application Scanning?

Qualys Web Application Scanning (WAS) is a fully cloud-based web application security scanner. The scanner will automatically crawl periodically and test web applications to discover potential vulnerabilities, including cross-site scripting (XSS) and SQL injection. The consistent testing equips the automated service to generate consistent results, lessen false positives, and offer the ability to scale to protect thousands of websites effortlessly.

Qualys Web Application Scanning is bundled with different scanning technology to carefully scan websites for malware infections and will send notifications to website owners to assist in preventing blacklisting and brand reputation damage. As digital transformation takes place in various organizations, Qualys WAS gives organizations the ability to track and document their web app security status through its interactive reporting capabilities.

Qualys WAS empowers organizations to remediate any web application vulnerabilities quickly. Some of the key tools offered are:

  • Deep Scanning: All apps and APIs on your internal network and public cloud are covered by Qualys WAS deep scanning to show you any visible vulnerabilities.

  • DevSec Ops Tool: Detect security issues in your code while still in app development stages and generate comprehensive reports.

  • Comprehensive Discovery: Discover and catalog new and unknown web apps in your network.

  • Malware Detection: Scan a website, identify vulnerabilities, and receive alerts to any infections.


Benefits of Qualys Web Application Scanning

Qualys Web Application Scanning offers many benefits, including:

  • Quick Deployment: Requires no infrastructure or software to upkeep.

  • Effortless Scalability: Effortlessly launch a deep scan and protect thousands of websites.

  • Centralized Management: Manage and mend all web app vulnerabilities through a single interface.

  • Excellent Integration Capabilities: Integrates with Qualys Web App Firewall (WAF) for a single-click virtual patching of found vulnerabilities.

  • Respond to Threats Immediately: Qualys Continuous Monitoring offers the user a hands-free service by automatically launching scanning and sending notifications of a potential threat.

  • Cost-effective Solution: Data is analyzed in real time as Qualys WAS is an end-to-end solution; this helps avoid costs associated with managing multiple security vendors.

Reviews from Real Users

Qualys Web Application Scanning stands out among its competitors for a variety of reasons. Two of those reasons are its progressive scan and quick detection of vulnerabilities.

P.K., a senior software developer at a tech vendor, writes, "The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours."

Nagaraj S., lead cybersecurity engineer at a tech service company, notes, "I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews."

Qualys Web Application Scanning was previously known as Qualys WAS.

Qualys Web Application Scanning Customers

BskyB, Cartagena, ClearPoint Learning Systems, Connect Group, du, Fortrex Technologies, HBOR, HDI, Highlights for Children, The Lithuanian State Enterprise Centre of Registers, City of Miami Beach, Microsoft, MidlandHR, MSCI Inc., Northern Arizona University, Ofgem, Olympus Europa, PhoneFactor, RTL Nederland, ThousandEyes, VGZ Organisatie B.V.

Qualys Web Application Scanning Video

Archived Qualys Web Application Scanning Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Data Specialist at CHUN SHIN LIMITED
Real User
Easy to use for detection of WAS and VM vulnerabilities
Pros and Cons
  • "It is easy to use."
  • "It is a very stable solution."
  • "The reporting contains too many false positives."
  • "The virus code updates are not frequent enough."
  • "Deployment can be complicated."

What is our primary use case?

We are using Qualys for vulnerability detection in our IDC (International Data Center) on our web pages and world-wide-web applications and services.  

What is most valuable?

The best thing about this product is that it is really easy to use.  

What needs improvement?

We are concerned with the frequency of their virus code updates and reporting that contains false positives. We do not think that the accuracy of the reporting is as good as it should be.  

It would be nice if Qualys would provide a solution after analyzing the data for us so we can understand what the cause of a vulnerability is and how to fix it. It would be good enough to provide something like just a download page that describes the problem and the steps to take to resolve the vulnerability.  

We are researching open source software because Qualys needs to improve their reports and the documentation for the end-users in resolving scanned issues.  

Sometimes the deployment is complicated. It is not so easy to deploy and that should be simplified. Something like Zap or other open-source software is often easier to deploy.  

For how long have I used the solution?

I am in the IT department in our company and we have been using Qualys for three years.  

Buyer's Guide
Application Security Tools
October 2022
Find out what your peers are saying about Qualys, Veracode, Invicti and others in Application Security Tools. Updated: October 2022.
634,775 professionals have used our research since 2012.

What do I think about the stability of the solution?

Qualys is a very stable solution for us. We have not had trouble with downtime.   

What do I think about the scalability of the solution?

We get a license to use this application for up to a year and we file for a license every year to renew. We would need to renew this license in September of 2020, so we will need to make a decision whether we will be continuing to use Qualys as a solution.  

How was the initial setup?

Sometimes the deployment is complicated. The deployment should be easier and more consistent.  

What's my experience with pricing, setup cost, and licensing?

The cost of the solution should be lower. In our company now, we only have 200 employees. For us, the license fee is kind of expensive. The cost is $30,000 USD for one year to cover WAS (Web Application Security) and the VM (Virtual Machine) security. That price includes maintenance and any consulting with Qualys.  

What other advice do I have?

I would recommend Qualys if the budget is not a problem. There may be other open-source solutions that could be used to perform a similar analysis.   

On a scale from one to ten (where one is the worst and ten is the best), I would rate this solution as an eight-out-of-ten.  

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Software Developer at a tech vendor with 1,001-5,000 employees
Real User
Has a good progressive scan feature but the data server needs improvement
Pros and Cons
  • "The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours."
  • "The UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs."

What is our primary use case?

I think we have the fastest version, and they always upgrade it. I think it's the $2 or $3-a-month version. They have multiple engines inside it, but it's a site-based service. It is not on-demand, so Qualys will host it. It's the pay as you go service that is on the software-as-a-service. 

We use the DAST, dynamic application scan test.

What is most valuable?

The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours.

What needs improvement?

One area that could be improved is the a data server. That's probably what I most noticed in comparison with the Rapid7. Also, the UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs. This is not good. 

Additionally, you don't have a recording feature, where you can record your screen navigation. Like a macro, you want to create the full screen, and they don't provide a tool which can record your navigation and then do a replay.

In terms of what should be included in the next release, like I mentioned, just the UI, the user interface screen. Also, it would be good If they could improve and enrich the reports. These are the fundamental differences with Rapid7.

For how long have I used the solution?

I have been using Qualys Web Application Scanning for five years.

What do I think about the stability of the solution?

Qualys Web Application Scanning is very stable and reliable. But the reporting does not look that great.

What do I think about the scalability of the solution?

In terms of scalability, it is very easy to expand. It's very fast and visible.

We don't have many people working on the solution. But our applications are big applications. We are using six components in different applications.

How are customer service and technical support?

Support is very good.

How was the initial setup?

Because of tasking, the initial setup is very straightforward. We didn't have to purchase any hardware for the installation. It is task-based. The cloud provision is there. It is good. I think nowadays everyone is going with the cloud provisioning. That way you can subscribe for any number of years to use the software. 

I think the initial setup took a couple of hours because there were no plugins and nothing to be installed.

What about the implementation team?

We implemented it ourselves and there was no installation expert here.

Which other solutions did I evaluate?

Yes, we are still comparing it with Rapid7. We want to first make assessments of what advantages we can get with Rapid7.

What other advice do I have?

My advice for anyone considering this solution is, "Go for it." 

On a scale of one to ten, I would give Qualys Web Application Scanning a seven.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Application Security Tools
October 2022
Find out what your peers are saying about Qualys, Veracode, Invicti and others in Application Security Tools. Updated: October 2022.
634,775 professionals have used our research since 2012.
Security Analyst at a tech services company with 10,001+ employees
Real User
User-friendly, good scanning analysis and reporting, and offers real-time vulnerability monitoring
Pros and Cons
  • "The interface is user-friendly and easy to understand."
  • "The scanner reports a lot of false positives, which is something that needs to be improved."

What is our primary use case?

We primarily use this solution for VM scanning. We scan more than a thousand applications.

What is most valuable?

The most valuable features are scanning analysis and reporting.

This solution also provides real-time monitoring.

The interface is user-friendly and easy to understand.

What needs improvement?

The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities.

The scanner reports a lot of false positives, which is something that needs to be improved.

For how long have I used the solution?

We have been using Qualys for almost a year.

What do I think about the stability of the solution?

The stability is good.

What do I think about the scalability of the solution?

In terms of scalability, Qualys is good.

How are customer service and technical support?

I have not dealt with technical support yet because there are other people dealing with issues that arise. My understanding is that technical support is good.

Which solution did I use previously and why did I switch?

I have also used the Nexus Vulnerability Scanner and it reports fewer false positives.

How was the initial setup?

This solution was implemented before I joined the department.

What's my experience with pricing, setup cost, and licensing?

There are different options available with respect to licensing.

What other advice do I have?

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
PeerSpot user
CEO at a tech services company with 51-200 employees
Real User
Has comprehensive SSL security measurements but the price should be lowered
Pros and Cons
  • "The simplicity of exporting reports and the simplicity and clarity of the reports included with the product are good."
  • "The pricing does not seem to be competitive."

What is our primary use case?

For some projects, we will need to use this on-premises. It depends on the confidentiality of our project. For other projects, we will also be deploying on the cloud or maybe a hybrid solution as well.  

We are looking forward to having a relationship as a partner with this company and maybe one or two others. We are not just a customer. We have a bunch of freelancers that we are working with in three different companies in Slovenia, Australia, and other countries. We are looking for solutions to make our testing and security checks more affordable.  

What is most valuable?

I am not the person who is actually directly testing this. One of the other people from our team is doing that. But I was involved in the selection of what we products we should compare based on available features, demos, and how products appear to meet our needs. What I remember from my experience with Qualys is that the simplicity of exporting reports and the simplicity and clarity of the reports included with the product is good. The website was also well-designed and easy to navigate. The SSL security measurements that the product offers seem comprehensive. But I can not say, at this preliminary phase, that I specifically think this or that from Qualys is the most valuable. It is intriguing enough to make our shortlist and POC efforts.  

What needs improvement?

Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.   

For how long have I used the solution?

We are in the process of analyzing several products over several months in this category for comparison and proof of concept.  

How are customer service and technical support?

We have not yet had to contact technical support for any reason.  

How was the initial setup?

I don't have information at this moment because we are in the process of discovery and we have not fully deployed. We do have a test deployment running.  

What's my experience with pricing, setup cost, and licensing?

The pricing of Qualys is quite expensive in comparison with the other products in this category that are offering pretty much the same thing. Pricing is one area of the product that can be improved. At this stage of our discovery, we only know the initial cost is high.  

Which other solutions did I evaluate?

We were testing a lot of products. We were looking for a good product for our needs and for the needs of our customers to scan vulnerabilities. Qualys was one of the products we chose to do further testing with. The testing with data is still continuing and is a process. As we are in the process of discovery now, we cannot exactly qualify our experience with the product.  

What other advice do I have?

On a scale from one to ten where one is the worst ten is the best, I would rate Qualys as a seven at this point. It is difficult to rate Qualys — or even products from other companies — as better than this because we are hearing the same thing from all the product manufacturers before we went into testing. But based on the references from other users about Qualys, our current level of experience, the pricing as we know it and the services that are offered for free, Qualys is a seven.  

What we have mostly found at this point is that you can't just install a free trial version of a product and get a complete impression immediately. With some products like Qualys or others in the category, the pricing may not be completely right because there are hidden costs. It could be one solution is not quick to deploy and that seems to make it difficult but in actual use, it is easier than everything else. Some products will be easy to set up and after 10 days of trying to work with it, I might be disappointed because of what I committed to.  

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Lead Security Architect at a financial services firm with 501-1,000 employees
Real User
Puts our services in compliance and minimizes our risk for exposure
Pros and Cons
  • "With our vulnerabilities under control, it's putting our services in compliance and minimizing our risk for exposure."
  • "The solution needs to adjust its pricing. They should make it more affordable."

How has it helped my organization?

With our vulnerabilities under control, it puts our services in compliance and minimizes our risk for exposure.

What is most valuable?

The vulnerability scanning and patching features are the most valuable parts of the solution.

What needs improvement?

The solution needs to adjust its pricing. They should make it more affordable.

For how long have I used the solution?

I've been using the solution for over five years.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

The cloud service makes the solution very scalable. We have about ten users right now, however we don't intend to increase usage at this time.

How are customer service and technical support?

Technical support is excellent. I would rate it ten out of ten.

Which solution did I use previously and why did I switch?

We've never used a different solution.

How was the initial setup?

The initial setup was straightforward. Deployment took about two weeks.

What about the implementation team?

Our internal team handled the implementation.

Which other solutions did I evaluate?

We did not evaluate other options before choosing Qualys.

What other advice do I have?

We are using the cloud deployment model.

I would recommend other users to use Qualys Application Scanning for application security. If you're serious about security you need a service or a solution that does continuous scanning of your application and infrastructure. There are always vulnerabilities being introduced.

I would rate the solution eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Consultant at a tech services company with 1,001-5,000 employees
Real User
Enables us to identify vulnerability levels and to enforce security credentials
Pros and Cons
  • "The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level."
  • "It should have better automatic reporting."

What is our primary use case?

My primary use case of this solution is to audit the security level of my customer's internet. We offer this as a service.

What is most valuable?

The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level. 

What needs improvement?

They should improve the performance of the security scanning. It should have better performance. 

For how long have I used the solution?

I have been using Qualys for fifteen years.

What do I think about the stability of the solution?

The stability is very good. 

What do I think about the scalability of the solution?

The scalability is very good. It is very easy to expand this solution. We scan on an IP address basis. We have credit for 250 IP addresses, and we are free to use it in our user environment, or on the cloud. 

We have around twenty users using this solution. 

How are customer service and technical support?

Their technical support is good. We don't use them frequently because we offer that service. 

Which solution did I use previously and why did I switch?

I also checked Rapid7 for internal scanning. I picked Qualys for a specific use. It's a SaaS service. We use it to audit the security level of my customer's internet. 

How was the initial setup?

The initial setup is straightforward. A deployment that we did last week took four hours in order to launch it. 

What about the implementation team?

I am an integrator. I work for an integration company. I do the deployments. 

What's my experience with pricing, setup cost, and licensing?

Our licensing costs are on a yearly basis. We buy a group of IP addresses we can scan on a yearly basis. 

What other advice do I have?

I would advise someone considering this product is to find a solution that is easy to use. We use this solution because we need to.

I would rate it an eight out of ten. Not a ten because the reporting needs improvement. It should have better automatic reporting. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
PeerSpot user
Senior Information Security Analyst at a financial services firm with 1,001-5,000 employees
Real User
It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard
Pros and Cons
  • "It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard. Usually, you have to purchase separate tools."
  • "The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected."

What is our primary use case?

The demo was mainly centered around vulnerability management. We were looking to find a tool which is able to do vulnerability management for internal assets and web applications which face the Internet and are exposed on it. We want a platform which can do vulnerability assessment for internal assets and also for assets which are published on the internet.

I did this demo for three to six months.

How has it helped my organization?

It gave us an idea of what lay in our network, and the vulnerabilities in it. Most IT admins are not aware of what is happening on the network. It was able to advise them of what's happening on the network. They could see the web-based applications and where attacks on the outside were coming from.

On the dashboard, you can see vulnerabilities that you have, as they are increasing or reducing over periods of time.

What is most valuable?

It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard. Usually, you have to purchase separate tools.

What needs improvement?

The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected.

Going forward, I would like it to scan for given vulnerabilities and add-ons, then confirm whether it is an actual threat or not without the false positives.

For how long have I used the solution?

Trial/evaluations only.

What do I think about the stability of the solution?

It is a stable product, once it is implemented. 

We haven't had any major errors or bugs. It runs quite well.

What do I think about the scalability of the solution?

The plans can be installed internally on the infrastructure or be used with a cloud-base scenario. If you have a cloud structure, the scalability is almost unlimited because it all depends on the number of assets that you want to manage. This can be done without any major configuration changes. In terms of scalability, Qualys has handled it quite well.

How is customer service and technical support?

Technical support was quite responsive and effective. If engaged on email, they got back to us on time. 

How was the initial setup?

When setting up the solution, it was quite a challenge when trying to set up the internal VM. The guides were not able to give all the scenarios one might encounter when installing the product. At some point, we became stuck, not knowing what to do next.

Work closely with your network administrator. The challenge for us was when trying to connect the virtual machine to the cloud on Qualys, ensuring the firewall policy and rules are in line with the communication passing through without being dropped anywhere. 

What about the implementation team?

Support was helpful during implementation. They also referred us to a third-party vendor who we could work with as a partner. 

What's my experience with pricing, setup cost, and licensing?

Licensing was based on the number of assets that you want to scan on your network. You can also do licensing on subscription. On subscription, it is easier and more flexible. You tell Qualys that you want to move from the 1000 to 2000 band or the 3000 or 5000 band, then they will give you the quotation for it. Once you pay for it, applying the licensing is quite easy and effective.

Pricing was reasonable and competitive. It was not too far above the other products.

Which other solutions did I evaluate?

We have been evaluating the following: Rapid7, Tenable.io, Tenable SecurityCenter, and Acunetix for web applications. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Delivery Manager at a tech vendor with 1,001-5,000 employees
Vendor
We can do scanning and submit reports straight to customers when there are new vulnerabilities
Pros and Cons
  • "We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not."
  • "In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us."

What is our primary use case?

We use it for external connection testing whenever we have a customer who utilizes post scanning tools for their main message. From the scanner's perspective, we use the scanner results to do manual testing.

How has it helped my organization?

We are looking for automation in our scanning activities or projects, because manual won't work. So, automation is required for us. As a result, using the Qualys scanner result is helpful for us.

What is most valuable?

We are using scanners and the PCI model. We do PCI scanning because we are a PCI vendor. We are using the tool to do the scanning on whatever the latest vulnerabilities there are, and Qualys is always providing us updates. We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not.

What needs improvement?

In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

It has been stable.

What do I think about the scalability of the solution?

It is good and scalable.

How are customer service and technical support?

Technical support is responsive.

Which solution did I use previously and why did I switch?

We were and still are using webMethods Professional. We use both in tandem to do manual testing. That is our process of doing things.

How was the initial setup?

We use the cloud instances for our setups. We have one setup, and it is on the cloud, so it is not complex. Actually, we don't have to do any set up. 

We have applications located in our different offices, and so far there set up has not been a challenge.

What's my experience with pricing, setup cost, and licensing?

Qualys has an IT-based licensing based on a yearly license, which is a good way of handling it. However, in some cases, when we do the PCI scanning, the host will not like the scanning and we lose the IT license. So, this could be improved.

What other advice do I have?

It is a very much stable. If you have a good amount of calender-based activities, it is good for defining frequency. You can define the calendar internally, then you can do your scanning. Though, it has some triaging features which should finally be fixed. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Cyber Security Consultant at a tech services company with 10,001+ employees
Consultant
The way results are presented makes remediation easy, but GUI is a little complex
Pros and Cons
  • "Key features include: Cloud-based, so the installation is not so tedious. Easily deployed. Highly scalable. Comprehensive reporting."
  • "You can integrate your Burp Suite results and create an integrated report. Also, the way it shows the results - threats and exploit details - makes remediation very easy."
  • "The GUI could be a little less complicated as it opens a lot of new windows for creating search lists, templates, reports, or for scanning purposes."

What is our primary use case?

We have a lot of applications in our environment that we need to scan frequently. We have a lot of tutorial sites, e-learning sites, and other related websites which we have to build, maintain, and scan continuously for security purposes.

How has it helped my organization?

It definitely helps us with the remediation process as we can create different reports, whatever is required at the time. 

What is most valuable?

  • It's cloud-based so the installation is not so tedious.
  • Easily deployed.
  • Highly scalable.
  • Comprehensive reporting.

Also, you can integrate your Burp Suite results and create an integrated report. 

The way it shows the results - threats and exploit details - makes remediation very easy.

We have seen very few false positives. We found the documentation very useful, particularly the roll-out guide. While the tool is not hard to use, by dividing the documentation into sections, the company provided specific guidance on use cases that are not necessarily limited to the tool itself.

What needs improvement?

The GUI could be a little less complicated as it opens a lot of new windows for creating search lists, templates, reports, or for scanning purposes. 

Also, occasionally it can't even authenticate to basic web forms.

For how long have I used the solution?

One to three years.

How is customer service and technical support?

Qualys offers one excellent support, which includes 24/7 phone and mail support, as well as access to its online user community.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user563475 - PeerSpot reviewer
Deputy Manager at a tech services company with 10,001+ employees
Consultant
Network scanner has good reporting and coverage, but it needs manual pen testing

What is our primary use case?

Cloud hosted application, and was also accessible through mobile app.

How has it helped my organization?

Dynamic features for pen testing automation, with manual.

What is most valuable?

Network scanner has good reporting, coverage was also good. In Web scanner, dashboard was good but features were limited.

What needs improvement?

Please add manual penetration testing features. 

Also I didn't like the license terms and the features were limited compared to other tools used for web applications.

For how long have I used the solution?

Trial/evaluations only.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Ex Senior Security Analyst and Onsite consultant at Paladion Networks
Consultant
Its web-based scanner is very useful for performing external penetration and PCI scans from remote locations
Pros and Cons
  • "​QualysGuard web-based scanner is very useful for performing external penetration and PCI scans from remote locations.​"
  • "By using QualysGuard, we are able to finish external scans with assured results in half the time.​"
  • "​This product is designed for easy scalability and can easily scale up ​without major challenges."
  • "​We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve issues.​"
  • "They should try to include business logic vulnerabilities in the scanner testing."
  • "In certain cases, this product does have false positives, which the company should work on."

What is our primary use case?

We use Qualys Internet-based scanners for external penetration testing as well as PCI scans for our clients. The tool being Internet based, it can be accessed from any location, and it does not have issues with updating the patches as well as versions (QualysGuard updates the tool at specific periods in a year with prior information). The report generated by QualysGuard is very detailed and easy to understand.

How has it helped my organization?

In order to finish a project, a penetration test in our company is on average five days, including documentation. Without this tool, the testing would take five days! 

By using QualysGuard, we are able to finish external scans with assured results in half the time.

What is most valuable?

QualysGuard web-based scanner is very useful for performing external penetration and PCI scans from remote locations.

What needs improvement?

In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the scanner testing.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

The product that we used in our office under different environments is highly stable.

What do I think about the scalability of the solution?

This product is designed for easy scalability and can easily scale up without major challenges.

How is customer service and technical support?

We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve issues.

How was the initial setup?

It is a straightforward implementation. Once you register over the Internet, they assign you a set of static IP addresses which can be used to perform web-based scans. The administrator panel is easy to understand and create.

What's my experience with pricing, setup cost, and licensing?

It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.

Try the free trial of the product to understand the basic working mechanisms.

Which other solutions did I evaluate?

We did try Acutenix, but the quality of results and user interface of Qualys was excellent in comparison.

What other advice do I have?

We are an institutional partner of QualysGuard and buy bulk licenses. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
PeerSpot user
Sr. Director, Cloud Platform Engineering at a tech vendor with 5,001-10,000 employees
Real User
We’re a Linux shop and Qualys gave us good Linux vulnerability scanning; no experience with it on MSFT products.

What is most valuable?

We’re a Linux shop and Qualys gave us good Linux vulnerability scanning; no experience with it on MSFT products. It reports only a few glaring false-positive errors (directory ownership was a common one), and our post-processing dealt with the known exceptions we’d agreed on. The long baseline of iterative results was valuable to track changes and our rate of improvement. Access to the API let us automate its use in our CI/CD pipeline for machine images.

How has it helped my organization?

The biggest benefit was integrating Qualys scanning into our CI/CD pipeline to vulnerability-scan new custom machine images (for OpenStack or AWS) before deployment. We’d build the image, instantiate it, run Qualys against it, get the report, post-process it, look for new errors or changes (if any), review just those and either block deployment or update our exceptions list for next time.

What needs improvement?

The licensing and user permissions are a little wonky for a DevOps team to use, probably because it’s traditionally an InfoSec tool.

For how long have I used the solution?

Symantec has run Qualys Enterprise against our private OpenStack cloud for at least three years; we started using the Qualys VA on AWS in 06/17.

What do I think about the stability of the solution?

Only those which Qualys scanning revealed in our OpenStack implementation.

What do I think about the scalability of the solution?

Not really, we spun up multiple Qualys servers to walk through our data center cloud infrastructure on a regular basis.

How are customer service and technical support?

Pretty poor, as usual for almost all software products now. Getting past the Tier 1 and 2 call center people is always a challenge, so throwing the company name around isn’t a bad idea.

Which solution did I use previously and why did I switch?

Don’t know what, if anything, preceded Qualys at Symantec.

How was the initial setup?

It took about a month to get the Qualys scan completely integrated and automated in our CI/CD pipeline, but much of that was due to licensing issues and poor API documentation, not the product installation itself.

What's my experience with pricing, setup cost, and licensing?

The “bring your own licenses” model for the virtual appliance isn’t what you might think, so get a clear explanation up front before assuming you can go use virtual appliances on AWS.

Which other solutions did I evaluate?

Yes, the Symantec Global Security Office (GSO) did this, and I don’t know who else they looked at when the selection was made.

What other advice do I have?

My team was responsible for operating the Symantec development hybrid cloud (about 6K servers in four DCs and multiple AWS regions). We use Qualys Enterprise to scan our private cloud infrastructure and machine images, and the Qualys Virtual Appliance to do custom AMI validation before deployment in AWS. I don’t recall which versions we used but we kept them up to date.

I give them a seven out of 10. The product is pretty good, but not great. It simply isn’t feasible for a tool like this to be accurate (no false negatives, few false positives), so you wind up doing a fair amount of post-processing of scan results. The profile update cycles are not what I’d like to see, so the vendor isn’t reacting to new threats anywhere near fast enough.

Also, look at other vendors, of course. Tenable was getting a lot of good buzz at Symantec last year. Be clear in advance on how much “overhead” you’re willing to pay in order to run “regular” scans on your DC machines and networks. In the cloud space, it’s somewhat better to verify the base image once, and focus on application vulnerabilities, where possible.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user488199 - PeerSpot reviewer
Senior Security Systems Engineer at a computer software company with 501-1,000 employees
Vendor
It showed us vulnerabilities that we were not aware of and did not know how to test for. The organization of the assets was a little confusing and overwhelming.

What is most valuable?

  • Ease of use and setup
  • Visibility into our environment

How has it helped my organization?

WAS gave us visibility into our externally exposed web applications and showed us vulnerabilities that we were not aware of and did not know how to test for. We didn't need any knowledge of these vulnerabilities or how they worked to scan for them and to gain the visibility.

What needs improvement?

The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.

For how long have I used the solution?

I have been using it for 18 months.

What was my experience with deployment of the solution?

Scalability would be tough because of how the endpoints are organized. We did not have any issues with deployment or stability.

How are customer service and technical support?

We had a dedicated Technical Account Manager and the support was great.

Which solution did I use previously and why did I switch?

We did not previously use a different solution.

How was the initial setup?

Setup of WAS is pretty straightforward and only the organization of endpoints is a bit complex.

What about the implementation team?

Implementation was very simple because we were only using the cloud product and did not have any on-prem scanners.

What was our ROI?

Being able to gain visibility into our environment created a great ROI and licensing for us was competitive, but would have made it tough to scale to our whole internal environment.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user494979 - PeerSpot reviewer
Module Lead with 1,001-5,000 employees
Vendor
It reports fewer false positives than other tools. The tool should have a live HTTP editor and more mature APIs.

What is most valuable?

There is nothing out of the box in the Qualys web application scanning module. One good thing is that it reports fewer false positives.

How has it helped my organization?

We use many other products along with Qualys. In a way, Qualys dashboards are good to keep track of vulnerabilities found asset-wise.

What needs improvement?

The tool should have a live HTTP editor and more configuration options for some situations, such as handling applications that have URL rewriting enabled.

The tool should have more mature APIs for integration and automation. They should provide more flexible APIs to download reports.

For how long have I used the solution?

I have been using it for almost four years now.

What do I think about the stability of the solution?

Qualys is good, stability-wise.

What do I think about the scalability of the solution?

Qualys is perfect, scalability-wise.

How are customer service and technical support?

On a scale of 1-5 with 5 being the highest, I would rate technical support at 3.

Which solution did I use previously and why did I switch?

I have used Nessus, Burp Suite, and IBM AppScan. Cost- and functionality-wise, I find Burp Suite the best of them all. AppScan is good, but very expensive and reports more false positives.

How was the initial setup?

Setup is straightforward.

What's my experience with pricing, setup cost, and licensing?

Licensing could be cheaper. It is expensive at present.

What other advice do I have?

Qualys is only a good product for in-house vulnerability management programs. It is not feasible to use Qualys for client-facing consulting engagements because of the cost.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user335112 - PeerSpot reviewer
Information Security Manager at a comms service provider with 1,001-5,000 employees
Vendor
​It's provided us with comprehensive, proactive, and automated vulnerability assessment.

What is most valuable?

  • OWASP Top 10 scanning
  • PCI-ASV scanning

How has it helped my organization?

It's provided us with comprehensive, proactive, and automated vulnerability assessment.

For how long have I used the solution?

I've used it for two years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

It's good.

Technical Support:

It's good.

Which solution did I use previously and why did I switch?

We switched due to there being a high number of false positives.

How was the initial setup?

It was straightforward.

What about the implementation team?

We used an integrato

Which other solutions did I evaluate?

  • Nessus
  • Acunetix
  • Tripwire
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user335103 - PeerSpot reviewer
Info-Security Consultant at a financial services firm with 1,001-5,000 employees
Vendor
It protects against zero-day vulnerabilities, like Heartbleed.

What is most valuable?

It protects against zero-day vulnerabilities, like Heartbleed.

What needs improvement?

It's missing some zero-day patches.

For how long have I used the solution?

I've used it for a few months.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

It's high.

Technical Support:

It's high.

Which solution did I use previously and why did I switch?

I used Rapid7 NeXpose in another shop.

How was the initial setup?

The product was already installed when I got there, I just added more scanning jobs and used the reports for remediation, etc.

Which other solutions did I evaluate?

I evaluated and selected Rapid7 NeXpose in a previous job (over QualysGuard) because the compliance department there vetoed using “an external service”. Also, we wanted to get Metasploit later.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user255879 - PeerSpot reviewer
Security Analyst at a tech services company with 1,001-5,000 employees
Consultant
Automated tools cannot find all the vulnerabilities, but this is one of the best.

What is most valuable?

WAS and being able to integrate Selenium IDE to automate the login process was most helpful.

How has it helped my organization?

Scheduling feature allows to scan on the weekends and holidays in a planned way.

What needs improvement?

Enhancing the capability to find XSS.

For how long have I used the solution?

I've used it for six months.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

I've never had the chance to interact.

Technical Support:

I've never had the chance to interact.

Which solution did I use previously and why did I switch?

This would depend on the clients' requirements.

How was the initial setup?

It's straightforward. In fact, it's one of the easiest solutions to implement.

What about the implementation team?

We used a vendor team who had good expertise.

What other advice do I have?

I would recommend this tool. Simply, go for it. The video tutorials would give an insight on the simplicity and effectiveness of the product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user5130 - PeerSpot reviewer
Security Expert at a financial services firm with 1,001-5,000 employees
Vendor
Premature product - not a proper product to be used for PCI approved Web Scanning

v2 Review: Premature product - not a proper product to be used for PCI approved web scanning

Having done numerous penetration tests using various manual and automated tools, today we are focusing on a new tool called QualysGuard Web Application Scanning v2.4.1.  In the process of doing a pentest, we often use a quality automated tool to check for standard issues while we focus on the much more difficult issues of the testing.  As this reduces the time it takes to do a full test, allows us to work more efficiently, and besides who wants to waste time doing monotonous simplistic checking.  In this regard, I have used AppScan quite extensively, and HP WebInspect as well, and both are very good tools for the most part.  They help out on the basic checks quite a bit.

Quite recently, I was introduced to QualysGuard Web Application Scanner (WAS) v2.4.1.  This tool was very simple to use which is true to Qualys name.  Point and click and you are done.  Unfortunately, I found out that it didn't help with the standard checks either.

Problem #1
1. It couldn't even authenticate to basic web forms.  I've used AppScan on hundreds of sites, and not once was there a problem in not being able to authenticate.  A web security tools isn't very useful if it can't get passed the logon screen because that's where most of the application resides.  How is it supposed to check anything if it doesn't get passed the logon screen'  The Qualys product support/product manager's response to this is to use Selenium Scripting.  Unfortunately, the current applications that are being tested only run on Internet Explorer (IE) and Selenium scripting automatic record and playback only works on FireFox.  So one must learn a new scripting language in order to make it work with IE.  This is hardly an easy point and click solution.  Learning a new scripting language is time consuming and error prone.  Other professional web scanners have this feature built in.

Problem #2
2. It cannot do a manual explore like other professional tools.  For instance, manual explore is needed to fill in certain forms properly in order to get to the critical screens for testing.  For example, you must fill in a proper social security number to look up the customer and get to the rest of the application.  Qualys WAS does not support this feature.  This web scanner doesn't allow the user to fill in the initial forms with proper data thereby never testing the whole application, which is critical.  The Qualys product support/product manager's response was this is a simple point and click tool, "we don't support nor do we plan to support complex features such as manual explore."

Problem #3
3. Web service scanner has limited functionality in comparison to other professional tools.  In this day and age, many web applications use web services.  To not support this feature properly is ridiculous.  The Qualys product support/product manager's response, "we only support web service fuzzing at this point."  What about testing authenticated web service calls'  It also doesn't support pre-populated data on web pages not web services other than the logon screen.  This pretty much reduces their web service testing to a dummy tool.  To make this work, you have to use tools like SOAPUI or Burp Suite Pro with scripting/plugins to pre-populate data, manual explore, and sequence test steps.

Problem #4
4. Lack of details provided by Qualys.
a. Most professional tools have an audit log that shows exactly what tests were performed and how they were performed.  Qualys does not provide an audit log of what tests they did.  We are supposed to guess instead as to what might have actually transpired.  Real reason behind not providing an audit log is more likely along the lines of they don't all the check they are supposed to and even if they did,  it probably wasn't exhaustive testing of say XSS.  Either way, we have no idea whether they did the work they claimed to have or not.  A Big Mystery Here!

b. No details provided on the actual request/response when a vulnerability is found.  True to Qualys name of simplicity.  The vulnerability finding is so simplistic and lacking any details as to how it was tested, one wonders how to test whether this finding is a false positive or not.  Well, I guess one is supposed to take Qualys word for it. :)

Problem #5
5. Missed critical session management vulnerabilities.  Qualys missed a critical session management vulnerability that I had to find manually that AppScan would have found.  The Qualys product support/product manager's response, "we are putting in a fix for this soon."

All in all, QualyGuard Web Application Scanner (WAS) v2 is lacking quite a bit in terms of quality and details.  Do you want to risk the security of your enterprise by relying on a product like this'  Currently, the product is premature and should not considered to be a proper product to used for PCI approved Web Scanning.  In fact, it should not even be PCI approved until it matures quite a bit.  Qualys needs to understand how a true web application scanner works before releasing a premature product to cash in on a exploding market.  

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user5130 - PeerSpot reviewer
it_user5130Security Expert at a financial services firm with 1,001-5,000 employees
Vendor

This is a review of their Web Application Scanning Product and not Vulnerability Management. Their Vulnerability Management Product is actually pretty good.

See all 2 comments
Buyer's Guide
Download our free Application Security Tools Report and find out what your peers are saying about Qualys, Veracode, Invicti, and more!
Updated: October 2022
Buyer's Guide
Download our free Application Security Tools Report and find out what your peers are saying about Qualys, Veracode, Invicti, and more!