Qualys Web Application Scanning Reviews

My main use of Qualys WAS is for multifactor authentication for web and mobile applications.

Qualys WAS' most valuable features are the navigation flow of the UI and the option for a different layer of security (identification and operation through email and mobile).

Sometimes the response time is low because the handshake fails, and then you have to re-login and start again. In the next release, Qualys should include more integration with different applications and single-sign-on protocol.

I've been using Qualys Web Application Scanning for a year and a half.

Qualys WAS is stable unless we have a breach.

Qualys WAS is scalable.

Qualys' technical support is good but could improve its resolution speed.

Positive

Previously, I used CA Identity Solutions by Broadcom, which had easier integration, more options for MFA, and biometric options.

The initial setup was complex and took about three months to deploy. I would rate the setup experience as four out of five.

We used a vendor team.

Qualys WAS' pricing is competitive.

I would recommend getting the POC done before implementing WAS, especially if there will be a lot of APIs involved in developing the product. Look at how the endpoint security works when the APIs run with a different channel, like web and mobile applications. I would give Qualys WAS a rating of six out of ten.

The primary use case includes scanning the web applications that are public facing.

The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera.

There should be better visibility into the application. 

Our customers have been using this solution for more than three years now.

It is a stable solution.

It is a cloud-based solution, so it is easy to scale. 

We work with enterprise-level clients with over 2500 endpoints. 

The customer service and support are good.

Positive

I would say Qualys is on the better side. It's more about the performance and the quality of the product because it's been around for a long time.

The initial setup is easy. 

The time taken for implementation depends on the customer's environment. It could take around a month, depending on the module. 

We have a team of two to three people to implement at the enterprise level. Moreover, it is easy to maintain. 

We normally purchase an annual license. There are additional costs. From Qualys, it's for the license and maintenance, which includes patches and stuff like that. Additionally, we have our own service delivery costs.

I'm familiar with all of the Qualys-based products because we partner with Qualys, so I have a local contact in New Zealand who helps me with all the technical information.

Moreover, I'm a pre-sales specialist, so I recommend the solution to our potential customers and then we implement through another team for customers.

Qualys is a stable and reliable solution. It has been around for a long time.

Overall, I would rate the solution an eight out of ten. There is scope for improvement. It is still an early technology. 

We use the solution alongside others for static scanning. It's used for endpoint scanning. 

The monitor's ability to read the reports, or to do very detailed reports is great. It's good at looking at the different vulnerabilities. Rarely are there security loopholes. It can also suggest ways to mitigate risks and vulnerabilities. 

There's a lot of great reference material. 

The integration is great. It works with many different products. 

There could be better management and faster scanning. An application may have a lot of URLs and complexity. If there are a couple of applications, that complexity multiplies. It can take three or four days to scan. That's too long. It should be maybe three or four hours. 

We've been using the solution for two years. 

It's a stable product. There are no bugs or glitches and it doesn't crash or freeze. The solution is reliable. 

It leverages the cloud. One of the upsides of that is the scalability that is possible. 

We have about 500 to 600 people on the solution currently.

Technical support is very good whenever we send them a message. They will schedule a call and then they will check in with us until the issue's resolved or until we understand the entire problem and they clarify issues. They're very quick as well.

The initial setup, due to the fact that it is the cloud, is very easy. It's a SaaS solution. We don't have to install anything in order to get going. You are on it right away. There is no deployment time to get through. 

Since it's so quick and immediate, you don't need a big team to get it of the ground. 

We were able to handle the implementation ourselves. It's not hard. You don't need consultants or integrators.

We have seen an ROI and my understanding is that it is pretty good. 

I don't directly deal with the licensing aspect of the product. 

I'd recommend the solution to others. We haven't had any issues after two years of working with it. 

I'd rate the solution eight out of ten.

We primarily use this solution for VM scanning. We scan more than a thousand applications.

The most valuable features are scanning analysis and reporting.

This solution also provides real-time monitoring.

The interface is user-friendly and easy to understand.

The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities.

The scanner reports a lot of false positives, which is something that needs to be improved.

We have been using Qualys for almost a year.

The stability is good.

In terms of scalability, Qualys is good.

I have not dealt with technical support yet because there are other people dealing with issues that arise. My understanding is that technical support is good.

I have also used the Nexus Vulnerability Scanner and it reports fewer false positives.

This solution was implemented before I joined the department.

There are different options available with respect to licensing.

I would rate this solution an eight out of ten.

We use the solution for scanning and vulnerability management.

The product prevents possible vulnerabilities in our network.

It will be good if Qualys is integrated with QRadar.

I have been using the solution for three years.

The tool is stable.

The tool is scalable since it is on the cloud. We have 60 users.

The support is moderately good. Sometimes, the team responds on time. Sometimes, it takes time. The support could be faster.

I have used many other tools. In some cases, I prefer other tools because they give better visibility into the vulnerabilities. In general, Qualys is good.

The initial setup was super easy because it is cloud-based. We use it internally. The installation took two days. We had to improve the tools and create the tags and assets. Two or three engineers can deploy the product. The product is easy to maintain.

I integrate Qualys and QRadar. QRadar is for SCM. It helps centralize the management of the network. It provides good visibility of Qualys. Qualys is a good product. There are better tools in the market. However, I recommend Qualys to others. Overall, I rate the product an eight out of ten.

There are two parts. We use Web Application Scanning licenses to constantly assess our websites. When there are any changes on our websites, Qualys checks to see if there is a vulnerability. We use a SecOps/DevOps methodology, so Qualys is integrated into the development cycle. Qualys runs every time we update the site.

Qualys' process of updating signatures is something we really appreciate, and it's way ahead of its industry peers. 

We have been using Web Application Scanning since 2018. 

Web Application Scanning is a stable solution.

We procured around 110 licenses for Web Application Scanning, but we have issues running concurrent scans. I don't currently have the option to trigger scans for all 100-plus websites. The default limit is around 10 conference scans. It's not very scalable, to be honest, because of the limitation that they put on concurrent scans.

I've had some issues with Qualys support. It's transactional. There is no face to the support model. I don't see anyone from Qualys engaging with us on a quarterly business or annual business review to help us understand if we are fully utilizing Qualys' capabilities. 

This isn't a technical problem. It's more of an issue with customer relations. I think they can improve by touching base with us more often to let us know if our rollout is following industry best practices or not. 

We used Verizon to help us with the rollout, and there were no trouble tickets or any technical issues with the rollout, so I would say the implementation was pretty smooth. The design-build phase took a couple of weeks.

We pay for a yearly license, but we also pay a separate cost for an engineer from Verizon.

When evaluating Qualys, we looked at industry best practices and state of-art-tools. Qualys was the default leader in its segment, so we went ahead with Qualys. I've used other solutions in the past, but Qualys the segment. That's why we went with them.

I rate Qualys Web Application Scanning nine out of 10. I think Web Application Scanning should integrate VMDR, a more enhanced capability that Qualys offers for enterprise vulnerability assessments. However, Qualys is way ahead of the competition on the web application front. 

If you're an industrial company, you should evaluate the OT scanning capability that Qualys is about to launch. It will cover all your enterprise web applications and secure your factories as well. Qualys should be a one-stop shop meeting all your end-to-end vulnerability assessment requirements, so you don't need to buy solutions from different vendors,

We primarily use Qualys Web Application Scanning for website penetration testing.

It is a good product for website penetration testing to detect vulnerabilities.

The product's pricing could be better.

We have been using Qualys Web Application Scanning for less than a year.

The platform has good stability.

It is a scalable product.

The technical support services are good.

Qualys Web Application Scanning is easy to deploy.

It is an expensive platform.

Qualys Web Application Scanning is easy to use and deploy. I rate it a nine out of ten. However, it could be less expensive compared to other open-source tools.

We’re a Linux shop and Qualys gave us good Linux vulnerability scanning; no experience with it on MSFT products. It reports only a few glaring false-positive errors (directory ownership was a common one), and our post-processing dealt with the known exceptions we’d agreed on. The long baseline of iterative results was valuable to track changes and our rate of improvement. Access to the API let us automate its use in our CI/CD pipeline for machine images.

The biggest benefit was integrating Qualys scanning into our CI/CD pipeline to vulnerability-scan new custom machine images (for OpenStack or AWS) before deployment. We’d build the image, instantiate it, run Qualys against it, get the report, post-process it, look for new errors or changes (if any), review just those and either block deployment or update our exceptions list for next time.

The licensing and user permissions are a little wonky for a DevOps team to use, probably because it’s traditionally an InfoSec tool.

Symantec has run Qualys Enterprise against our private OpenStack cloud for at least three years; we started using the Qualys VA on AWS in 06/17.

Only those which Qualys scanning revealed in our OpenStack implementation.

Not really, we spun up multiple Qualys servers to walk through our data center cloud infrastructure on a regular basis.

Pretty poor, as usual for almost all software products now. Getting past the Tier 1 and 2 call center people is always a challenge, so throwing the company name around isn’t a bad idea.

Don’t know what, if anything, preceded Qualys at Symantec.

It took about a month to get the Qualys scan completely integrated and automated in our CI/CD pipeline, but much of that was due to licensing issues and poor API documentation, not the product installation itself.

The “bring your own licenses” model for the virtual appliance isn’t what you might think, so get a clear explanation up front before assuming you can go use virtual appliances on AWS.

Yes, the Symantec Global Security Office (GSO) did this, and I don’t know who else they looked at when the selection was made.

My team was responsible for operating the Symantec development hybrid cloud (about 6K servers in four DCs and multiple AWS regions). We use Qualys Enterprise to scan our private cloud infrastructure and machine images, and the Qualys Virtual Appliance to do custom AMI validation before deployment in AWS. I don’t recall which versions we used but we kept them up to date.

I give them a seven out of 10. The product is pretty good, but not great. It simply isn’t feasible for a tool like this to be accurate (no false negatives, few false positives), so you wind up doing a fair amount of post-processing of scan results. The profile update cycles are not what I’d like to see, so the vendor isn’t reacting to new threats anywhere near fast enough.

Also, look at other vendors, of course. Tenable was getting a lot of good buzz at Symantec last year. Be clear in advance on how much “overhead” you’re willing to pay in order to run “regular” scans on your DC machines and networks. In the cloud space, it’s somewhat better to verify the base image once, and focus on application vulnerabilities, where possible.