It seems a given at this point that companies have to do more vulnerability scans. So it is really just a question of whether you use a service like Qualys' or bring in products from companies like Preventsys and do it yourself.
When we last caught up with Qualys a year ago, the young company was performing about 400,000 customer network vulnerability scans per month, looking for about 2,500 unique vulnerabilities. Today the company is performing a million scans per month, looking for 3,300 potential problems.
To refresh your memory, Qualys offers a service called QualysGuard that customers can use to scan their networks looking to see what ports are open and what servers and services are exposed. External scans are launched from scanners around the world, while internal scans are conducted by appliances dropped into networks behind firewalls. All results are viewed from a Web interface.
Chairman and CEO Philippe Courtot's timing seems good. The recent spate of worm outbreaks is reminder enough that perimeter defenses aren't enough to contend with the latest threats. Courtot says he has 1,400 customers now, 200 of them global companies such as DuPont, Pfizer and Deloitte. Company revenue doubled last year to $8 million, and he says it will soon start tripling.
While many large companies still only do vulnerability scans a few times per year, Qualys customers average 22 scans per year, Courtot says. About 90% scan every two weeks, and 60% scan every week.
He says that even as scanning levels have skyrocketed, the number of bugs reported per scan - crashed servers, false positives, false negatives - has stayed steady at 10 to 30.
That's thanks to the on-demand nature of the service. The software is hosted on Qualys' hardware (even the appliance is managed by Qualys), so he can rehab it quarterly without inconveniencing customers. What's more, "when we eliminate bugs, we do it for all customers at once," Courtot says. "The more customers we have, the more eyes we have identifying potential problems."
Besides making it easier for him to deliver quality product, the on-demand model means customers can change vendors more easily. A customer might have 30 $3,000 appliances and invested two months to install the service, "so it wouldn't take much to swap us out," Courtot says. That's an incentive for Qualys and the customer, he says, and why he thinks hosted products win in the long run.
It seems a given at this point that companies have to do more vulnerability scans. So it is really just a question of whether you use a service like Qualys' or bring in products from companies like Preventsys and do it yourself.