Qualys Vulnerability Management Review

Vulnerability management outsourcing is not an easy concept to promote these days when information is the  new power currency. Today, however, I witnessed a Qualys demonstration and I must say I really enjoyed it.

I’m not affiliated with Qualys and this is not a sponsored review.

Whenever I walk into a customer’s office I put my consultant hat aside and I try to walk into the customer’s shoes for one mile. This is why I really liked the approach Qualys has taken in implementing their managed vulnerability management service.

In a nutshell :

  • Qualys has built a Global Web Service Architecture developed from the ground up to automate network security auditing and vulnerability management.
  • Qualys hosts a collection of Internet Scanners optimized to scan publicly facing devices globally via the Internet. 
  • QualysGuard Scanners are appliance versions of the Internet Remote Scanners. Scanners enable customers to bring QualysGuard’s assessment capabilities to their internal networks.

While they are still fresh in my mind, these are the Top 10 reasons I liked Qualys (in no particular order) and why I would recommend it to my customers.

1. No hardware hassle – No storage troubles.
Ah, it feels so good to know that somebody else has to worry about the  Confidentiality, Integrity and Availability of your data . In you chose to also scan the internal network, all you need to worry about is to have the scanning appliance – which you rent– powered on and connected to your LAN. Sweet.

2. Full coverage of vulnerabilities lifecycle .
Qualys goes beyond vulnerability scanning. Instead, they opted for a fully  vulnerability management process and I guess one picture is worth 1000 words :


3. Great APIs and 3rd party integration support .
Being a full Web managed solution, integration with 3rd party security vendors is done very easily trough a fully documented XML API  interface.

4. Non-intrusive scans.
The most relevant vulnerability results are achieved using authenticated scans (both Windows and Unix / Linux are supported) and it seems that Qualys has set a top priority in investigating any crash report of a remotely scanned system or service. 

5. Everybody gets a VIP treatment .
One of my favorite feature is that whenever something is fixed for one customer, it is automatically available for everybody.And fast.  One other advantage of having a central SOC system is that all the scanners are up-to-date and rolling out a new version of the management interface is instantaneous. Just open up a new browser session.

6. Robust ,tamper proof appliance
The scanning appliance is truly a black box . You plug it in, set up the IP address, username / password using a front mounted LCD and you are good to go. End to end SSL encryption fits in nicely in any modern network without much firewall re-configuration.

7. Single point of management .
Role based administration can be modeled upon your organization’s structure and having a web based console means  you can check out the appliances status, the scans themselves and the reports from anywhere. Who wouldn’t want to have instant access to those pesky compliance reports whenever the auditor asks for them ? Fire up any available browser and you’re done.  

8 . OVAL Support
I know that not many people want to write their own vulnerability checks, but hey, what better way to check for violations in you uber cool security policy ? Qualys integrates new OVAL vulnerability definitions very easy.

9. Real Time scan reporting
I really hate when a full subnet scan is been running for 2 hours and suddenly something goes bad and you have to restart the scan from the beginning. It must have been frustrating for Qualys as well, because they implemented a real time partial scan report so you don’t lose any data from an ongoing scan in case of unexpected halt.

10. Audit trails, own remediation ticketing system.
Ever wondered why some vulnerabilities slip by unresolved for weeks ? Well, although a remediation ticket has been opened, it might happen that a sysadmin forgot to patch a system or worse, he marked the bug as fixed hoping no one will notice.

Guess what : during the next scan, the vulnerability will be found and the ticket will be re-opened and because the system allows history audit trail analysis, you can see exactly who swept the garbage under the carpet hoping to get away with it.

Maybe the Qualys engineer was very convincing during the 3hrs presentation and live demo, but I really liked the product and I can’t wait to test it myself. Just in case you were wondering, Qualys offers 14 days free trial . All you need to do is provide a public IP address.

How about you ? Do you have some real-world experiences with Qualys ? Is it as good as a presales presentation put it ? I’m very interested in finding out the downfalls of deploying an outsourced vulnerability management service like Qualys.

Thank you for reading this post. You can now Read Comment (1) or Leave A Trackback. Print This Post Print This Post

One Response to “Qualys Vulnerability Management Review

  • 1
    May 26th, 2010 19:59

    Check out rapid7.com and their product Nexpose. They're replacing Qualys all the time.

Subscribe without commenting

Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge