2 Replies Latest reply on Apr 24, 2012 7:23 AM by Gerard Decker

    Resources and Timelines for WAS Scans

    Viktor Hargitai Level 1

      Dear Qualys Community,

       

      Let me briefly introduce myself. My name is Viktor Hargitai and I am working for Deutsche Post DHL, Global Forwarding as an Information Security Analyst.

       

      We had lately some discussion in our Team about resources and timelines for Web Application Security Scans (just scans and no application of patches, code changes etc.) and I would be interested in some experience values like below exampel:

       

      Number of Applications: 100

      Timeline: 6 Month

      Resources: Number of Persons needed for scanning ???

       

      or

       

      Number of Applications: 100

      Timeline: Number of  month needed for scanning ???

      Resources: 5 Persons available for scanning

       

      I know that such a project depends on a lot of different factors and it is not easy to define such things but maybe there are some experience values from other companies which you can share. Thanks you all for your support.

       

      Kind regards

       

      Viktor Hargitai

        • Resources and Timelines for WAS Scans
          jkent Level 4

          Hello Viktor,

           

          Stating that scanning a web application takes X time is almost impossible.  Keeping that in mind, I can tell you some trends and data I have gathered during my time as a Web Application Scanning Subject Matter Expert.

           

          Solutions that require seat licensing take a fairly long time to setup and complete because the scans are serial.  These types of solutions often run about 80 to 100 assessments per year.  If you wanted to ensure you completed 100 assessments in a 6 month timeframe you would need 3 trained personnel and 3 licenses, this would allow for vetting findings and creating reports.

           

          Contrasting a per seat license model, Qualys uses a per application license model and allows for (in Enterprise licensing) unlimited resources for that same cost.  Assuming a scan takes 24 hours, you can complete 100 serial scans in 100 days.  Since we can run the scans very multi threaded, if they are externally facing apps, you can assume 30 minutes of setup per app and scan as many as you want.  It is possible to scan 100 apps all at once and have the results 24 hours later or, put simply, you could scan 100 apps in 1 day.

           

          I would say that given 2 or 3 resources 100 apps scanned in 2 weeks is completely possible with plenty of breathing room.

           

          Please feel free to contact me if you have additional questions.

           

          Jason Kent

          Director, Web Application Security

          jkent AT Qualys DOT com