Qualys Web Application Scanning Reviews

I think we have the fastest version, and they always upgrade it. I think it's the $2 or $3-a-month version. They have multiple engines inside it, but it's a site-based service. It is not on-demand, so Qualys will host it. It's the pay as you go service that is on the software-as-a-service. 

We use the DAST, dynamic application scan test.

The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours.

One area that could be improved is the a data server. That's probably what I most noticed in comparison with the Rapid7. Also, the UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs. This is not good. 

Additionally, you don't have a recording feature, where you can record your screen navigation. Like a macro, you want to create the full screen, and they don't provide a tool which can record your navigation and then do a replay.

In terms of what should be included in the next release, like I mentioned, just the UI, the user interface screen. Also, it would be good If they could improve and enrich the reports. These are the fundamental differences with Rapid7.

I have been using Qualys Web Application Scanning for five years.

Qualys Web Application Scanning is very stable and reliable. But the reporting does not look that great.

In terms of scalability, it is very easy to expand. It's very fast and visible.

We don't have many people working on the solution. But our applications are big applications. We are using six components in different applications.

Support is very good.

Because of tasking, the initial setup is very straightforward. We didn't have to purchase any hardware for the installation. It is task-based. The cloud provision is there. It is good. I think nowadays everyone is going with the cloud provisioning. That way you can subscribe for any number of years to use the software. 

I think the initial setup took a couple of hours because there were no plugins and nothing to be installed.

We implemented it ourselves and there was no installation expert here.

Yes, we are still comparing it with Rapid7. We want to first make assessments of what advantages we can get with Rapid7.

My advice for anyone considering this solution is, "Go for it." 

On a scale of one to ten, I would give Qualys Web Application Scanning a seven.

I use Qualys Web Application Scanning for various customers both within and outside the country.

Our clients are mainly from the education and banking sectors, where we support them with financial and backend services.

Qualys Web Application Scanning (WAS) is a DAST tool. It stands for Dynamic Application Security Testing. Unlike SAST (Static Application Security Testing) tools, WAS doesn't examine source code. Instead, it interacts with your web application like a real user, analyzing its responses to identify vulnerabilities.

Qualys WAS also integrates with WAF (Web Application Firewall) solutions, including potentially your company's standard WAF or Security Assertion Markup Language (SAML) interface.

The vulnerability management feature is a strong one. And also the patch management feature.

Qualys integrates with Endpoint Detection and Response (EDR) for malware detection. EDR continuously monitors endpoints and takes snapshots of all of the endpoints and assets. Any changes are collected and sent to the cloud every four hours.

EDR also provides other capabilities like incident response and campaign identification. If malware is detected, the user can get remediation steps and send alerts to the system. It also provides forensic reports if there is a need for more detailed reports from the endpoints. 

Qualys is easy to use as there's no hardware to manage because it's fully cloud-based. Once the platform is installed, you can access all of our services. 

The application product integration, especially integrating Qualys with the DevOps environment like Jenkins, is straightforward. It facilitates continuous testing and integration, allowing us to perform scans on a weekly or monthly basis efficiently.

One area for improvement is the application scan interface. Although recent updates have introduced some features, there's a gap in supporting standards beyond OWASP. 

Currently, there isn't an option to select or integrate other security standards directly within the platform, which limits the scope of scans to primarily OWASP. For broader compliance, custom integrations are required, which is a cumbersome process.

The platform primarily supports OWASP standards for scanning. If an organization needs to comply with other standards, such as ISO or NIST, there's no straightforward option to select these within the scanning interface. 

This limitation requires custom solutions to meet other compliance requirements, which is not ideal.

Qualys should enhance its interface to allow users to easily select and scan according to multiple standards, not just OWASP. This includes both internal and external scans, providing a more flexible and comprehensive approach to web application security.

In addition to choosing standards, there's a distinction between internal and external scanning processes that could be streamlined.

Currently, for internal scanning, specific configurations and scanner appliances need to be deployed within the network, which differs from the simpler setup for external scans. This dual process complicates the setup for comprehensive scanning coverage.

The process should be simplified to eliminate the need for two distinct setups for internal and external scans within Qualys.

I've been working with it for about a year.

Based on my experience, it's highly stable. I haven't encountered significant issues or disruptions in service, indicating a strong and reliable platform.

I would rate the stability a nine out of ten. 

Qualys, being cloud-based, offers excellent scalability. Whenever we need to scale up, we can easily configure settings in the backend. And add licenses for more users.

It allows for easy adjustments to your security needs without the need for physical hardware, facilitating seamless scaling up or down according to your organization's requirements.

In my team, we have a focused group working with Qualys. However, our organization serves a broader range of clients, including small to medium-sized businesses, leveraging Qualys for their security needs.

Qualys provides a dedicated support channel for addressing any issues that arise. The process of raising support tickets is straightforward, and in my experience, the response has been efficient and helpful in resolving issues. 

Positive

I'm aware of Fortify On Demand but haven't used it. Our company only holds licenses for Fortify SaaS and DaaS.

The setup varies based on whether the scanning is for internal or external purposes. Each has its specific requirements and configurations, such as deploying scanner appliances for internal scans. 

Therefore, it's not just a single score; the complexity can range, especially if internal scans are considered, which require more setup.

Qualys offers two deployment methods for web application scanning: internal and external. For internal scans, a scanner can be installed on your network to scan internal applications. 

For external scans, Qualys utilizes cloud-based scanners to scan publicly accessible web applications without requiring any installation on your end.

The deployment time can vary but generally, it doesn't take more than one to two hours to get up and running, depending on the specifics of the setup required.

From my perspective, it is a budget-friendly option. Qualys offers good value for the features and protection it provides. The pricing seems reasonable, considering the comprehensive security solutions it offers.

For those considering Qualys, it's important to understand how it fits into their overall security strategy, especially regarding web application and firewall (WAF) security. 

It's crucial to grasp the full capabilities of Qualys to make an informed decision. I'd advise understanding the product thoroughly to see if it aligns with your security needs.

Overall, I would rate the solution a nine out of ten. 

We use the solution to scan the website.

The tool links vulnerabilities with DDIs and gives a complete overview of the application. The continuous monitoring capability is good.

We have many websites. We don't force scanning on all of them at once because it's taking some time.

The solution should provide more information. AI capabilities could also be added.

I have been using Qualys Web Application Scanning for three months.

It is easy to add new devices. The solution is scalable.

We contacted our manager directly. She added us for progressive scanning, which was done in a few hours.

Positive

We have used NetSparker. Qualys is all about web application Scanning

The initial setup is straightforward and fast. One person can be enough for the deployment.

Overall, I rate the solution a ten out of ten.

The demo was mainly centered around vulnerability management. We were looking to find a tool which is able to do vulnerability management for internal assets and web applications which face the Internet and are exposed on it. We want a platform which can do vulnerability assessment for internal assets and also for assets which are published on the internet.

I did this demo for three to six months.

It gave us an idea of what lay in our network, and the vulnerabilities in it. Most IT admins are not aware of what is happening on the network. It was able to advise them of what's happening on the network. They could see the web-based applications and where attacks on the outside were coming from.

On the dashboard, you can see vulnerabilities that you have, as they are increasing or reducing over periods of time.

It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard. Usually, you have to purchase separate tools.

The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected.

Going forward, I would like it to scan for given vulnerabilities and add-ons, then confirm whether it is an actual threat or not without the false positives.

It is a stable product, once it is implemented. 

We haven't had any major errors or bugs. It runs quite well.

The plans can be installed internally on the infrastructure or be used with a cloud-base scenario. If you have a cloud structure, the scalability is almost unlimited because it all depends on the number of assets that you want to manage. This can be done without any major configuration changes. In terms of scalability, Qualys has handled it quite well.

Technical support was quite responsive and effective. If engaged on email, they got back to us on time. 

When setting up the solution, it was quite a challenge when trying to set up the internal VM. The guides were not able to give all the scenarios one might encounter when installing the product. At some point, we became stuck, not knowing what to do next.

Work closely with your network administrator. The challenge for us was when trying to connect the virtual machine to the cloud on Qualys, ensuring the firewall policy and rules are in line with the communication passing through without being dropped anywhere. 

Support was helpful during implementation. They also referred us to a third-party vendor who we could work with as a partner. 

Licensing was based on the number of assets that you want to scan on your network. You can also do licensing on subscription. On subscription, it is easier and more flexible. You tell Qualys that you want to move from the 1000 to 2000 band or the 3000 or 5000 band, then they will give you the quotation for it. Once you pay for it, applying the licensing is quite easy and effective.

Pricing was reasonable and competitive. It was not too far above the other products.

We have been evaluating the following: Rapid7, Tenable.io, Tenable SecurityCenter, and Acunetix for web applications. 

My company works for another company called Ecolab here in Bangalore. We are an Ecolab digital center, we develop mobile application. We use Vericode and this solution for testing these web applications before going live. This includes the full testing periods and the production phase. Once it has been tested, we then get them ready to go live.

I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews.

When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem.

In the future, customer support could improve and the output report needs to be simplified for better understanding.

I have been using the solution for the last 12 months.

We have expanded the solution in a few areas and it was scalable. We have approximately 50 people using the solution in my organization.

There is some improvement needed for the technical support.

We have used Veracode previously and we are currently still using it.

The installation is complex and it took approximately one month which included the customization.

We are on an annual license for the solution and the pricing could be more affordable.

We are planning on moving to Veracode because we are getting better results and is easier to use than this solution.

My advice to those wanting to implement this solution is if you have experience and knowledge with vulnerability management and reading through all the threats, this could be a good platform for you. If you are a new starter this solution is not a good place to start.

I rate Qualys Web Application Scanning an eight out of ten.

We have been using Qualys Web Application Scanning for automated web architecture scanning in an enterprise environment.

The solution integrates well with our database and asset management, providing a detailed framework that connects products and shares knowledge across them.

The most valuable features are the scheduled scanning, detailed reports, asset management, the knowledge database, and the overall product framework. The integration with other tools is also a significant advantage.

The authenticated scanning feature could be improved by adding support for real-time scanning tokens and authorization tokens. For example, after sessions, having tokens valid for applications allowing automated authenticated scanning, similar to what Burp offers with proxy support, would be beneficial.

The enterprise-level deployment was scalable and supported our business growth well.

We were looking at alternatives like Burp and Acunetix, particularly from the security research side, for better results and accuracy.

Pricing is a significant consideration. Although the product is good for certain details and automated processes, it may not be as cost-effective for some tasks.

We evaluated other solutions like Burp and Acunetix.

For specific web applications, Burp may provide better results, however, for integration of tools, Qualys Web Application Scanning is a good choice.

I'd rate the solution eight out of ten.

Our customers use the solution to audit their web-application before releasing them to the Internet.

Licensing is the most valuable. Qualys provides the best licensing for companies. It is the best product for the development purposes of web applications. The product has a lot of integrations.

The product should allow users to upload their payloads.

I have been using the solution for three years.

I rate the product’s stability an eight out of ten.

I rate the product’s scalability a nine out of ten. 

We did not face any issues while deploying the solution. The product provides good documentation for deployment.

The product has a very good licensing model.

I am using the latest version of the solution.

Tenable makes us wait 90 days to delete the test web application, and Rapid7 does not allow us to delete it as well as  Acunetix (once a year).
I will recommend the solution to others. Overall, I rate the solution an eight out of ten.

My main use of Qualys WAS is for multifactor authentication for web and mobile applications.

Qualys WAS' most valuable features are the navigation flow of the UI and the option for a different layer of security (identification and operation through email and mobile).

Sometimes the response time is low because the handshake fails, and then you have to re-login and start again. In the next release, Qualys should include more integration with different applications and single-sign-on protocol.

I've been using Qualys Web Application Scanning for a year and a half.

Qualys WAS is stable unless we have a breach.

Qualys WAS is scalable.

Qualys' technical support is good but could improve its resolution speed.

Positive

Previously, I used CA Identity Solutions by Broadcom, which had easier integration, more options for MFA, and biometric options.

The initial setup was complex and took about three months to deploy. I would rate the setup experience as four out of five.

We used a vendor team.

Qualys WAS' pricing is competitive.

I would recommend getting the POC done before implementing WAS, especially if there will be a lot of APIs involved in developing the product. Look at how the endpoint security works when the APIs run with a different channel, like web and mobile applications. I would give Qualys WAS a rating of six out of ten.