Qualys VMDR vs. Sonatype Platform

Qualys VMDR is best suited for larger companies with a very large IT asset footprint. Qualys VMDR is not suited for businesses that are small and upcoming as the price for the tool is very expensive and could be a budget sink if not used properly. In our organization we use the Qualys VMDR dashboard and reporting in order to collect any vulnerabilities we miss during our routine audits to ensure that our environment is stable and protected for attacks.

Incentivized

- Guidance on remediation is very good - Vulnerability detection is very good - Support is very good - Ability to ask PMs/POs open questions at Office Hours every month is very good - Support for languages is lacking (TIOBE Index Top20) - Some features are un-neededly hidden and make the usage more complex then it needs to be

• Qualys VMDR automates the remediation process for risks without code.
• Scans and detects all of our assets whether they are IT or IOT
• Analyzes our environment for misconfigurations and measures risk against industry benchmarks

Incentivized

• Nexus firewall is a great feature enabled for all our proxy repositories which are used to download the third-party opensource packages.
• Nexus IQ is integrated with build stage to analyze the component against evaluation policy. This helps to figure out the application security standards.
• Nexus IQ is also having a feature to scan container images before it uploads to our private repository. This is great feature for container platforms.

• Qualys VMDR can definitely improve on its reporting of assets as we have caught devices not captured in the Qualys VMDR scans.
• We would like to see an improvement on the dashboard interface as it is faulty sometimes.
• Qualys VMDR should focus on more competitive pricing as it is very expensive.

Incentivized

• Support on the end of life lifecycle of known open source components that are going end of life, or already went end of life
• Support for emerging infrastructure as code frameworks
• Support for native/ default retention, archiving and clean up policies for hosted repositories

Sonatype supports more than 200 dev(s). It proves with the repository to store the artifacts. Allows for governance of open source software used by the different teams. It is used by security teams to scan for vulnerabilities in software(s) and in the deployed containers. It helps ensure code quality.

Incentivized

infrastructure to identify vulnerabilities

Overall experience is great with the Platform; however, I see some opportunity with upgrading the platform as it is missing with data of historical scans to allow reviewer to get view of trend how the application/product development team is considering fixing the issues.

Incentivized

Extremely good

Sonatype products are great value as I said but a few areas like how products use underlying resources in order to make it further lightweight, is something I would like them to consider.

This is iron but I am giving it 5 star and I can give more If I can do because they are best in support. So once you own this product they will assign a dedicated support for you and when you are under the weather with anything just connect them with anything call, ping or ticket they will come like Genie.

Monthly touchpoints with Sinisa has been very valuable.

Incentivized

easy to implement and performing the scans via automations as well

Incentivized

It is a very similar tool but Qualys VMDR is much better when it comes to reporting and solutions provided. Asset management is really good in Qualys VMDR. Qualys VMDR support is really quick , you can get a TPM if you run into any issues. Qualys VMDR has wide variety of scanning options which lacks in tenable.

Incentivized

Out of other products we evaluated before choosing Sonatype, the later looked far more user friendly, easy to understand and work with. This was key for us, as the tool needs to be used by many engineers that don't have security as their main focus. Having a tool that is easy to understand and work with, makes the process of evaluating open source dependencies much easier and appealing for developers.

Incentivized

Great value for money

Everything is very good except a little concern regarding large scale docker usage.

Very good

• Cut down on manual efforts to investigate or remediate vulnerabilities, which can be a big driver of ROI
• Avoidance of potential incidents with upfront risk mitigation
• Patching efficiency gains

Incentivized

• Sonatype's centralized management of artifacts have made it very easy for developers to share code in an efficient manner.
• Sonatype's low false positive rate has made it easier to convince developers to remediate vulnerabilities
• Sonatype's archaic architecture has made it more expensive to manage than it could be.