Educause Security Discussion mailing list archives
Re: Vulnerability Assessment Scanner qualysguard
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Thu, 5 Feb 2009 08:42:38 -0500
We are looking to deploy a Vulnerability Management scanning solution and potentially looking at the qualys-guard on demand system taking into consideration of ease of deployment and maintenance. I would like to know if any other > universities have evaluated/deployed this solution and feedback on the same.
We don't use Qualys here at Carnegie Mellon but I used the their product extensively when I worked for a consulting organization. Emphasizing what others have already said, it's a very easy solution to setup and the reporting is some of the best I've seen. It had a good bit of functionality for customizing scans in case you don't want to run full blown vulnerability scans all the time. If you have quarterly scanning requirements for PCI, they have a customized scan and report for that purpose. It's easy to delegate access based on groups of systems. In my experience their support team is very knowledgeable and provides reasonable turn around on false positive investigation or any other issues you send their way. It's been about a year and a half since I've used the product so I'm sure there are even more features now. On the downside, I thought their portal was a little bogged down and it wasn't the easiest to navigate. Not sure if that's changed. Since the appliance has to talk out to the Internet to get updates and schedules, connectivity was a little flaky sometimes. We were also moving them around a lot though. If you're leaving it in one place, that's probably less of an issue. Reiterating what Hugh already said, Qualys restricts access to scanning results. They restrict access to the point that you had to actually send them scanning results to investigate a false positive. They couldn't just access the portal. To accommodate this, they had a nice web based system for uploading files to their support team (using randomly generated and temporarily URLs). Again, this was a year and a half ago so things might have changed. We also never really validated their claims of protecting scan data, but you could address that contractually. Regards, Doug Markiewicz Information Security Office Carnegie Mellon University
Current thread:
- Vulnerability Assessment Scanner qualysguard Anand S Malwade (Feb 04)
- <Possible follow-ups>
- Re: Vulnerability Assessment Scanner qualysguard Perry, Jeff (Feb 04)
- Re: Vulnerability Assessment Scanner qualysguard Hugh Burley (Feb 04)
- Re: Vulnerability Assessment Scanner qualysguard Beechey, Jim (Feb 04)
- Re: Vulnerability Assessment Scanner qualysguard Doug Markiewicz (Feb 05)
- Re: Vulnerability Assessment Scanner qualysguard Beechey, Jim (Feb 05)