Continuous security and vulnerability detection—both Tenable and Qualys have built industry-leading suites around these two cybersecurity disciplines. The latter in particular serves as a focal point for both vendors, with Tenable SecurityCenter and Qualys Enterprise going head-to-head for the top slot in the vulnerability management category. Let's see how the two stack up in this comparison.
Though it's become quite fashionable lately to declare perimeter security "dead", the truth of the matter is that firewalls and endpoint security mechanisms remain crucial components of enterprise security. However, they should never stand as lone sentries between the enterprise's IT assets and cyber attackers. The continuous security required for protecting against today's cyber attacks is provided by a myriad of tools and platforms working in conjunction: vulnerability detection, compliance monitoring, security information event management systems (SIEM) / log management system, smart / next-generation firewalls (NGFW), and more. Tenable and Qualys both offer integrated security platforms built around vulnerability detection, layering on additional security mechanisms like malware detection, security analytics, and anomaly detection.
Pehaps best known for its free (for personal use) Nessus vulnerability scanner, Tenable and its SecurityCenter platform offer vulnerability management and security analytics—viewed/managed with a series of pre-built, highly customizable dashboards and reports.
The Tenable interface. Source: Tenable Network Security / YouTube.com.
SecurityCenter Continuous View (CV) adds additional features for continuous visibility, advanced analytics, real-time metrics, and continuous compliance, among others.
Founded in 1999, Qualys is an established name in enterprise security, with a full range of freemium solutions, continuous security platforms, and subscription-based security services. Its flagship platform is the aptly-named Qualys Enterprise, formerly known as QualysGuard.
The Qualys Vulnerability Management UI. Source: Qualys.com
Qualys Enterprise is essentially a continuous security suite of tools for vulnerability management, asset discovery, network security, web app security, threat protection, and compliance monitoring.
Side-by-Side Scoring: Tenable vs. Qualys
1. Capability Set
Both SecurityCenter CV and Qualys Enterprise were designed to be comprehensive continuous security solutions, and both certainly excel in this regard. Qualys Enterprise's asset management capabilities and cloud/web app security features in particular are worth noting, while Tenable SecurityCenter CV's Nessus vulnerability scanner and advanced security analytics are the platform's strong points.
2. Ease of Use
Tenable's offering features a streamlined HTML5 interface and intuitive, user friendly navigation elements—a vast improvement from its previous Flash-based implementation. Similarly, Qualys Enterprise's web-based interface is easy to get up to speed with, but can feel somewhat overmodularized due to the amount of moving, interacting parts in the solution suite.
Ease of Use
3. Security Rating
UpGuard's CyberRisk platform is used by hundreds of companies to automatically monitor their third-party vendors. We ran a quick surface scan on both Tenable and Qualys, and found them in a similar security position. Both companies have similar risks which include:
Qualys has a higher risk of domain hijacking, as they do not use domain registry protection. This gives Tenable a slight edge, and a slightly higher rating.
- DNS being susceptible to man-in-the-middle attacks
- Potential for emails to be fraudulently sent from their domain
- Increased susceptibility to man-in-the-middle attacks
Let us automatically measure and monitor the security of Tenable, Qualys and your other third-party vendors for you.
Get a demo of UpGuard CyberRisk today.
4. Community Support
Qualys hosts an active community off its corporate website, as does Tenable—in this case, the latter takes the cake for its robust discussion forum. Additionally, Nessus—originally an open source project—commands a legion of loyal followers as one of the most popular and capable vulnerability scanners.
5. Release Rate
Tenable SecurityCenter is currently on version 5.2 and has been undergoing regular releases since its inception. Nessus (currently at version 6)—at one point considered the most popular vulnerability scanner in the world—was launched in 1998 and sees full version updates roughly every 2 years. Qualys' vulnerability scanner and cloud-based security platform (currently at 8.7) has also undergone regular updates over the years, despite several confusing rebranding and product consolidation efforts.
6. Pricing and Support
A monitoring system won't troubleshoot a configuration error. A configuration test script will.
As a SaaS-based offering, Qualys Enterprise is sold on an annual subscription basis; pricing in the past has ranged from $295 for small businesses to $1,995 for larger enterprises, depending on the number of endpoints monitored. Tenable SecurityCenter costs upwards of $20,000 plus annual maintenance—a considerable investment for budget-conscious organizations.
Both vendors offer premium phone, web, and onsite support options, as well as a range of professional services to boot.
Pricing and Support
7. API and Extensibility
The Qualys API is a non-REST, XML-based interface for integrating custom applications with Qualyscloud security and compliance solutions. In contrast, Tenable SecurityCenter provides a more modern REST API for integrating with other applications or hooking scripting interactions into the SecurityCenter server.
API and Extensibility
8. 3rd Party Integrations
Both solutions features a broad range of 3rd party integrations and technology partners. Qualys integrates with ServiceNow, BMC, ForeScout, and Splunk, among others, while Tenable's myriad of integrations—including vendors like Cisco, Salesforce. and Airwatch—allow customers to get the most out of their security platform investments.
3rd Party Integrations
9. Companies that Use It
Both security solutions are in use by many of the world's most prominent enterprises. Tenable purportedly has more than one million users and over 20,000 enterprise customers worldwide, including the U.S. Department of Defense, Deloitte, Visa, BMW, Adidas, and Microsoft. According to Qualys, more than 60% of the Forbes Global 50 rely on its continuous security solutions, including the likes of Cisco, DuPont, Microsoft, Sabre, and Sony Network Entertainment.
Companies that Use It
10. Learning Curve
Both continuous security platforms are relatively easy to learn, largely due to the solutions' streamlined web interfaces and detailed product documentation.
Scoreboard and Summary
|Ease of Use
||813 / 950
||795 / 950
|Pricing and Support
|API and Extensibility
|3rd Party Integrations
|Companies that Use It
|| 4.6 / 5
|| 4.3 / 5
Both Qualys Enterprise and Tenable SecurityCenter CV offer continuous cyber protection through an array of layered security tools and services. Qualys sports some impressive asset management capabilities, while Tenable offers advanced security analytics and an industry-leading vulnerability scanner. That said, Tenable can be a challenge for small to mid-range organizations to acquire; as such, budget sensitive firms will certainly find Qualys more manageable from a cost perspective.
Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues.
Who provides better continuous security: the world's largest maker of networking equipment or the first cybersecurity firm certified by the U.S. Department of Homeland Security?
Read Article >
As perimeter-based cyber protection falls to the wayside, a new breed of continuous security solutions are emerging that combine traditional endpoint protection with newer technologies like security information and event management (SIEM) and crowdsourced threat intelligence.