Cloud Platform
Contact us
Try it
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
Cloud Security

See Resources


BUSINESS: Mobile-based Authentication services.

SCOPE & SIZE: Headquarters: Kansas; acquired by Microsoft

SECURITY CHALLENGE: As PhoneFactor's systems grew in size and complexity, the company needed a more efficient way to mitigate the risks associated with software vulnerabilities and system misconfigurations.


  • Qualys Vulnerability Management
  • Qualys Web Application Security


  • Easy to deploy and manage.
  • Would not require risky firewall settings to use.
  • Comprehensive reports provide the actionable information needed to remedy software flaws.
  • To automate many aspects of the vulnerability management lifecycle: network discovery and mapping, asset prioritization, vulnerability assessment reporting, and remediation tracking.
Envelope Print

PhoneFactor: Dials Qualys for Automated Vulnerability Management

As this authentication provider's IT systems grew, so did its need for an effective and streamlined way to ensure the security and integrity of its infrastructure.
PhoneFactor home page

For a select few companies, IT security is more than a function of normal operations – it's an essential aspect of what they are as businesses.

"Qualys has met, even exceeded, our expectations in areas, and we are still looking for new ways we can leverage Qualys. It will be an important part in how we keep our infrastructure and services secure for a long time."

Chandra Sekhar Surapaneni,
Director of Engineering at PhoneFactor

PhoneFactor, Inc. is one of those few. PhoneFactor, since its 2001 founding, has been an innovator of phone-based two-factor authentication. Since then, PhoneFactor has grown successfully in its mission to provide strong authentication for enterprise and consumer applications alike.

As one would suspect, the security and the availability of PhoneFactor's infrastructure is critical to its customers, who rely on its services for secured access to important resources and for transactions they can trust. That's one reason why, as it grew more successful and its IT infrastructure expanded, the importance of having a vigorous vulnerability management program in place also did. A repeatable, effective vulnerability management program is one of the most efficient ways to ensure that systems remain configured properly, are free of known software flaws, and are protected from the latest vulnerabilities and attack exploits.

Ad-hoc Assessments No Longer Enough

When PhoneFactor's infrastructure was considerably smaller than it is today, each team could assess various segments of its infrastructure through manual review and scanning processes. Also at that time, because each group was running its own vulnerability assessment tools, it was becoming increasingly difficult to track how often assessments were conducted, and then combine all of the findings into a unified report that provided a comprehensive view of risk across the organization.

As PhoneFactor's servers grew into the hundreds, the number of data centers increased, and its infrastructure became more complex, it became progressively more important for the IT team to centrally manage and oversee its vulnerability management efforts. "Our infrastructure is very complex. Every component in our data centers have at least 10 or 20 iterations for scalability and redundancy. There are a lot of moving parts," Surapaneni says.

With that in mind, he and his team began searching for ways they could centralize the assessments of their infrastructure and find ways to automate processes wherever possible. "We also needed to manage our assessment reports so we could make more intelligently informed judgments on how to best manage any risks in our infrastructure," Surapaneni says.

The Options: Build In-house or Deploy a Market Leader

The team's first instinct was to build a vulnerability assessment toolset in-house. "We soon decided against that path. Our core business is authentication, and we didn't want to get into the vulnerability management business," he says.

Toward those efforts, PhoneFactor conducted an extensive market evaluation of available vulnerability assessment applications. Choosing the best platform for its needs was not a difficult decision, explains Surapaneni. PhoneFactor selected Qualys Vulnerability Management (VM), and Qualys Web Application Security (WAS). Qualys VM automates the vulnerability management lifecycle for organizations of all sizes. Through its Software-as-a-Service (SaaS) delivery, Qualys VM provides PhoneFactor with detailed network discovery and mapping, asset prioritization, vulnerability assessment reporting, and the remediation tracking it needed to manage risk more effectively. Powered by the most comprehensive vulnerability KnowledgeBase in the industry, Qualys VM spots and helps to remedy the software flaws and system misconfigurations that make many exploits and attacks successful. For its part, Qualys WAS provides deep assessments of Web applications for the most pressing web application vulnerabilities.

One of the most important attributes that set both Qualys VM and WAS apart from the competition are the concise, yet comprehensive vulnerability reports they provide. "As a team, we appreciate the way the reports tell us how exactly to remediate potential risks," Surapaneni says. The reports also have proven helpful in substantiating PhoneFactor's healthy risk postures to clients who ask. Additionally, a few customers occasionally ask for vulnerability scan results. "Because Qualys reports are precise, it's easy to simply download, add some of our own commenting, and provide it to the customer," he says. "Also, when reports come from Qualys, since Qualys is a recognized name everywhere, they're trusted."

The use of Qualys also would not jeopardize the security of PhoneFactor's infrastructure, as many other vulnerability management services potentially would. Because Qualys VM can be installed within the data center, it doesn't require network firewall ports to be opened and managed – a potentially serious security opening for adversaries to take advantage of. "With other providers, we had to open our network for the scanner to be able to evaluate our network. That's not something we wanted to do for anyone," Surapeneni says.

Web Application Security a Critical Focus

Because PhoneFactor provides many of its services through web applications, its security team relies extensively on Qualys WAS to vet those applications for any potential security risks. Qualys WAS makes it possible for PhoneFactor to accurately discover, catalog, and scan large numbers of web applications for the straightforward identification of flaws ranked in the OWASP (Open Web Application Security Project) Top Ten. The OWASP Top Ten includes such vulnerability classifications as SQL injection, cross-site scripting (XSS), URL redirection, and other programming errors that could leave applications susceptible to attack. Qualys WAS also simplifies and reduces costs of web application assessments through its intuitive and easy-to-use scan engine.

Building on Qualys’ success in helping PhoneFactor secure its infrastructure, the company is now building Qualys into its quality assurance processes. "We have very quick release cycles, and are continuously updating our products. As a part of that we want to ensure that we have an effective and efficient quality assurance process in place. Assessing our applications with Qualys before they're released into production is an important part of that," says Surapaneni.

As PhoneFactor's business grew, so did its IT infrastructure. To ensure it was properly managing its IT-associated risks, the company sought a way to automate its vulnerability management program – and that's exactly what it has been able to accomplish with Qualys VM and Qualys WAS. Through Qualys, PhoneFactor has been able to simplify how the company identifies and remedies potential network and web application risks. "Qualys has met, even exceeded, our expectations in areas, and we are still looking for new ways we can leverage Qualys. It will be an important part in how we keep our infrastructure and services secure for a long time," Surapaneni says.