2 Replies Latest reply: Apr 24, 2012 7:23 AM by Gerard Decker RSS

Resources and Timelines for WAS Scans

Viktor Hargitai

Dear Qualys Community,


Let me briefly introduce myself. My name is Viktor Hargitai and I am working for Deutsche Post DHL, Global Forwarding as an Information Security Analyst.


We had lately some discussion in our Team about resources and timelines for Web Application Security Scans (just scans and no application of patches, code changes etc.) and I would be interested in some experience values like below exampel:


Number of Applications: 100

Timeline: 6 Month

Resources: Number of Persons needed for scanning ???




Number of Applications: 100

Timeline: Number of  month needed for scanning ???

Resources: 5 Persons available for scanning


I know that such a project depends on a lot of different factors and it is not easy to define such things but maybe there are some experience values from other companies which you can share. Thanks you all for your support.


Kind regards


Viktor Hargitai

  • Resources and Timelines for WAS Scans

    Hello Viktor,


    Stating that scanning a web application takes X time is almost impossible.  Keeping that in mind, I can tell you some trends and data I have gathered during my time as a Web Application Scanning Subject Matter Expert.


    Solutions that require seat licensing take a fairly long time to setup and complete because the scans are serial.  These types of solutions often run about 80 to 100 assessments per year.  If you wanted to ensure you completed 100 assessments in a 6 month timeframe you would need 3 trained personnel and 3 licenses, this would allow for vetting findings and creating reports.


    Contrasting a per seat license model, Qualys uses a per application license model and allows for (in Enterprise licensing) unlimited resources for that same cost.  Assuming a scan takes 24 hours, you can complete 100 serial scans in 100 days.  Since we can run the scans very multi threaded, if they are externally facing apps, you can assume 30 minutes of setup per app and scan as many as you want.  It is possible to scan 100 apps all at once and have the results 24 hours later or, put simply, you could scan 100 apps in 1 day.


    I would say that given 2 or 3 resources 100 apps scanned in 2 weeks is completely possible with plenty of breathing room.


    Please feel free to contact me if you have additional questions.


    Jason Kent

    Director, Web Application Security

    jkent AT Qualys DOT com