What needs improvement with Qualys Web Application Scanning?

When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem. In the future, customer support could improve and the output report needs to be simplified for better understanding.

We are concerned with the frequency of their virus code updates and reporting that contains false positives. We do not think that the accuracy of the reporting is as good as it should be. It would be nice if Qualys would provide a solution after analyzing the data for us so we can understand what the cause of a vulnerability is and how to fix it. It would be good enough to provide something like just a download page that describes the problem and the steps to take to resolve the vulnerability. We are researching open source software because Qualys needs to improve their reports and the documentation for the end-users in resolving scanned issues. Sometimes the deployment is complicated. It is not so easy to deploy and that should be simplified. Something like Zap or other open-source software is often easier to deploy.

One area that could be improved is the a data server. That's probably what I most noticed in comparison with the Rapid7. Also, the UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs. This is not good. Additionally, you don't have a recording feature, where you can record your screen navigation. Like a macro, you want to create the full screen, and they don't provide a tool which can record your navigation and then do a replay. In terms of what should be included in the next release, like I mentioned, just the UI, the user interface screen. Also, it would be good If they could improve and enrich the reports. These are the fundamental differences with Rapid7.

The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities. The scanner reports a lot of false positives, which is something that needs to be improved.

Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.

The solution needs to adjust its pricing. They should make it more affordable.

They should improve the performance of the security scanning. It should have better performance.

The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected. Going forward, I would like it to scan for given vulnerabilities and add-ons, then confirm whether it is an actual threat or not without the false positives.

In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.