Educause Security Discussion mailing list archives

Re: Vulnerability Assessment Scanner qualysguard

From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Thu, 5 Feb 2009 08:42:38 -0500

We are looking to deploy a Vulnerability Management scanning solution and potentially
looking at the qualys-guard on demand system taking into consideration of ease of deployment
and maintenance.  I would like to know if any other > universities have evaluated/deployed
this solution and feedback on the same.

We don't use Qualys here at Carnegie Mellon but I used the their product extensively when I worked for a consulting
organization.
Emphasizing what others have already said, it's a very easy solution to setup and the reporting is some of the best
I've seen. It
had a good bit of functionality for customizing scans in case you don't want to run full blown vulnerability scans all
the time. If
you have quarterly scanning requirements for PCI, they have a customized scan and report for that purpose. It's easy
to delegate
access based on groups of systems. In my experience their support team is very knowledgeable and provides reasonable
turn around on
false positive investigation or any other issues you send their way. It's been about a year and a half since I've used
the product
so I'm sure there are even more features now.

On the downside, I thought their portal was a little bogged down and it wasn't the easiest to navigate. Not sure if
that's changed.
Since the appliance has to talk out to the Internet to get updates and schedules, connectivity was a little flaky
sometimes. We
were also moving them around a lot though. If you're leaving it in one place, that's probably less of an issue.

Reiterating what Hugh already said, Qualys restricts access to scanning results. They restrict access to the point
that you had to
actually send them scanning results to investigate a false positive. They couldn't just access the portal. To
accommodate this,
they had a nice web based system for uploading files to their support team (using randomly generated and temporarily
URLs). Again,
this was a year and a half ago so things might have changed. We also never really validated their claims of protecting
scan data,
but you could address that contractually.

Regards,

Doug Markiewicz
Information Security Office
Carnegie Mellon University

Current thread:

Vulnerability Assessment Scanner qualysguard Anand S Malwade (Feb 04)
- <Possible follow-ups>
- Re: Vulnerability Assessment Scanner qualysguard Perry, Jeff (Feb 04)
- Re: Vulnerability Assessment Scanner qualysguard Hugh Burley (Feb 04)
- Re: Vulnerability Assessment Scanner qualysguard Beechey, Jim (Feb 04)
- Re: Vulnerability Assessment Scanner qualysguard Doug Markiewicz (Feb 05)
- Re: Vulnerability Assessment Scanner qualysguard Beechey, Jim (Feb 05)