Qualys Web Application Scanning Reviews

We use Qualys Internet-based scanners for external penetration testing as well as PCI scans for our clients. The tool being Internet based, it can be accessed from any location, and it does not have issues with updating the patches as well as versions (QualysGuard updates the tool at specific periods in a year with prior information). The report generated by QualysGuard is very detailed and easy to understand.

In order to finish a project, a penetration test in our company is on average five days, including documentation. Without this tool, the testing would take five days! 

By using QualysGuard, we are able to finish external scans with assured results in half the time.

QualysGuard web-based scanner is very useful for performing external penetration and PCI scans from remote locations.

In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the scanner testing.

The product that we used in our office under different environments is highly stable.

This product is designed for easy scalability and can easily scale up without major challenges.

We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve issues.

It is a straightforward implementation. Once you register over the Internet, they assign you a set of static IP addresses which can be used to perform web-based scans. The administrator panel is easy to understand and create.

It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.

Try the free trial of the product to understand the basic working mechanisms.

We did try Acutenix, but the quality of results and user interface of Qualys was excellent in comparison.

We are an institutional partner of QualysGuard and buy bulk licenses. 

We’re a Linux shop and Qualys gave us good Linux vulnerability scanning; no experience with it on MSFT products. It reports only a few glaring false-positive errors (directory ownership was a common one), and our post-processing dealt with the known exceptions we’d agreed on. The long baseline of iterative results was valuable to track changes and our rate of improvement. Access to the API let us automate its use in our CI/CD pipeline for machine images.

The biggest benefit was integrating Qualys scanning into our CI/CD pipeline to vulnerability-scan new custom machine images (for OpenStack or AWS) before deployment. We’d build the image, instantiate it, run Qualys against it, get the report, post-process it, look for new errors or changes (if any), review just those and either block deployment or update our exceptions list for next time.

The licensing and user permissions are a little wonky for a DevOps team to use, probably because it’s traditionally an InfoSec tool.

Symantec has run Qualys Enterprise against our private OpenStack cloud for at least three years; we started using the Qualys VA on AWS in 06/17.

Only those which Qualys scanning revealed in our OpenStack implementation.

Not really, we spun up multiple Qualys servers to walk through our data center cloud infrastructure on a regular basis.

Pretty poor, as usual for almost all software products now. Getting past the Tier 1 and 2 call center people is always a challenge, so throwing the company name around isn’t a bad idea.

Don’t know what, if anything, preceded Qualys at Symantec.

It took about a month to get the Qualys scan completely integrated and automated in our CI/CD pipeline, but much of that was due to licensing issues and poor API documentation, not the product installation itself.

The “bring your own licenses” model for the virtual appliance isn’t what you might think, so get a clear explanation up front before assuming you can go use virtual appliances on AWS.

Yes, the Symantec Global Security Office (GSO) did this, and I don’t know who else they looked at when the selection was made.

My team was responsible for operating the Symantec development hybrid cloud (about 6K servers in four DCs and multiple AWS regions). We use Qualys Enterprise to scan our private cloud infrastructure and machine images, and the Qualys Virtual Appliance to do custom AMI validation before deployment in AWS. I don’t recall which versions we used but we kept them up to date.

I give them a seven out of 10. The product is pretty good, but not great. It simply isn’t feasible for a tool like this to be accurate (no false negatives, few false positives), so you wind up doing a fair amount of post-processing of scan results. The profile update cycles are not what I’d like to see, so the vendor isn’t reacting to new threats anywhere near fast enough.

Also, look at other vendors, of course. Tenable was getting a lot of good buzz at Symantec last year. Be clear in advance on how much “overhead” you’re willing to pay in order to run “regular” scans on your DC machines and networks. In the cloud space, it’s somewhat better to verify the base image once, and focus on application vulnerabilities, where possible.

• Ease of use and setup
• Visibility into our environment

WAS gave us visibility into our externally exposed web applications and showed us vulnerabilities that we were not aware of and did not know how to test for. We didn't need any knowledge of these vulnerabilities or how they worked to scan for them and to gain the visibility.

The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.

I have been using it for 18 months.

Scalability would be tough because of how the endpoints are organized. We did not have any issues with deployment or stability.

We had a dedicated Technical Account Manager and the support was great.

We did not previously use a different solution.

Setup of WAS is pretty straightforward and only the organization of endpoints is a bit complex.

Implementation was very simple because we were only using the cloud product and did not have any on-prem scanners.

Being able to gain visibility into our environment created a great ROI and licensing for us was competitive, but would have made it tough to scale to our whole internal environment.

There is nothing out of the box in the Qualys web application scanning module. One good thing is that it reports fewer false positives.

We use many other products along with Qualys. In a way, Qualys dashboards are good to keep track of vulnerabilities found asset-wise.

The tool should have a live HTTP editor and more configuration options for some situations, such as handling applications that have URL rewriting enabled.

The tool should have more mature APIs for integration and automation. They should provide more flexible APIs to download reports.

I have been using it for almost four years now.

Qualys is good, stability-wise.

Qualys is perfect, scalability-wise.

On a scale of 1-5 with 5 being the highest, I would rate technical support at 3.

I have used Nessus, Burp Suite, and IBM AppScan. Cost- and functionality-wise, I find Burp Suite the best of them all. AppScan is good, but very expensive and reports more false positives.

Setup is straightforward.

Licensing could be cheaper. It is expensive at present.

Qualys is only a good product for in-house vulnerability management programs. It is not feasible to use Qualys for client-facing consulting engagements because of the cost.

• OWASP Top 10 scanning
• PCI-ASV scanning

It's provided us with comprehensive, proactive, and automated vulnerability assessment.

I've used it for two years.

No issues encountered.

No issues encountered.

No issues encountered.

It's good.

It's good.

We switched due to there being a high number of false positives.

It was straightforward.

We used an integrato

• Nessus
• Acunetix
• Tripwire

It protects against zero-day vulnerabilities, like Heartbleed.

It's missing some zero-day patches.

I've used it for a few months.

No issues encountered.

No issues encountered.

No issues encountered.

It's high.

It's high.

I used Rapid7 NeXpose in another shop.

The product was already installed when I got there, I just added more scanning jobs and used the reports for remediation, etc.

I evaluated and selected Rapid7 NeXpose in a previous job (over QualysGuard) because the compliance department there vetoed using “an external service”. Also, we wanted to get Metasploit later.

WAS and being able to integrate Selenium IDE to automate the login process was most helpful.

Scheduling feature allows to scan on the weekends and holidays in a planned way.

Enhancing the capability to find XSS.

I've used it for six months.

No issues encountered.

No issues encountered.

No issues encountered.

I've never had the chance to interact.

I've never had the chance to interact.

This would depend on the clients' requirements.

It's straightforward. In fact, it's one of the easiest solutions to implement.

We used a vendor team who had good expertise.

I would recommend this tool. Simply, go for it. The video tutorials would give an insight on the simplicity and effectiveness of the product.