Isn't the point of the vulnerability management market to produce information on (and react to) the smallest number of finndings to eliminate the most business risk? We seem to be in the trap the antivirus industry fell into in the mid 2000's where we rewarded those who found the most viruses, not the much smaller subset of viruses which needed actual attention (hence the transition to behavioral detection, not signatures). This pursuit by the "vulnerability discovery" vendors of ever larger numbers of findings, without context of exploitability, risk, value or compensating controls is concerning.
Nice writeup! I lean more towards the Gartner view on this (which is rare for me), and believe that the vendors you placed in the VM market space are best categorized as "Vulnerability Assessment".
I consider the products that come closest supporting Gartner's "Vulnerability Management Cycle" to be "Vulnerability Management". I.e. You should only need ONE vulnerability management tool (ideally a RBVM :)), many vulnerability assessment tools (code, cloud, infra, OT, etc.), and maybe a few of vulnerability remediation tools.
Great overview of the landscape for traditional VM, however it missed there are several vendors who can perform VM In the cloud without the need for an agent or scanner. Agents and scanners are a great fit for relatively static on-prem environments where everything has an IP address, but they are next to useless in a highly dynamic cloud environment where resources such as storage buckets and serverless functions can’t be scanned or have an agent installed.
Great article. You missed including SecOps Solution https://secopsolution.com which has it's own vulnerability scanner. Would be great to include that too.
Nice article - though you omitted specialised solutions like ours (StorageGuard by Continuity Software) in the storage and backup (security misconfiguration and vulnerability) space - a gap in existing OS & Network focussed tools (not running authenticated scans on the above systems).
Isn't the point of the vulnerability management market to produce information on (and react to) the smallest number of finndings to eliminate the most business risk? We seem to be in the trap the antivirus industry fell into in the mid 2000's where we rewarded those who found the most viruses, not the much smaller subset of viruses which needed actual attention (hence the transition to behavioral detection, not signatures). This pursuit by the "vulnerability discovery" vendors of ever larger numbers of findings, without context of exploitability, risk, value or compensating controls is concerning.
Hi Simon. Couldn't agree more! I'll be writing more about this in the future, so stay tuned. Thank you for your comments!
In General what I miss here:
For VM there are several strategies.
Agent based, passiv network scan, active network scan (no credentials), active scan with credentials.
I think all of them have pros and cons
I would add a section to this that expresses those strategies and why they are valuable and when.
Hi Chris. Thank you for your comment!
Nice writeup! I lean more towards the Gartner view on this (which is rare for me), and believe that the vendors you placed in the VM market space are best categorized as "Vulnerability Assessment".
I consider the products that come closest supporting Gartner's "Vulnerability Management Cycle" to be "Vulnerability Management". I.e. You should only need ONE vulnerability management tool (ideally a RBVM :)), many vulnerability assessment tools (code, cloud, infra, OT, etc.), and maybe a few of vulnerability remediation tools.
Hi Steve. Absolutely agree with your logic. Thank you for commenting!
Great overview of the landscape for traditional VM, however it missed there are several vendors who can perform VM In the cloud without the need for an agent or scanner. Agents and scanners are a great fit for relatively static on-prem environments where everything has an IP address, but they are next to useless in a highly dynamic cloud environment where resources such as storage buckets and serverless functions can’t be scanned or have an agent installed.
Hi Gary. Excellent point! You're reading my mind since I'll be covering that topic in my next post. Stay tuned! Thanks for your comment!
Let me know if you need any input, full disclosure I do work for one of said cloud native VM vendors.
Hi David, Good overview. I'd also like to add OPSWAT. We have our own MetaAccess that includes vuln assessment and patch on the endpoint, but we also licence it to a few of the major EPP vendors: https://www.opswat.com/products/metaaccess/vulnerability-management
Hi Chad. I wasn't previously aware that OPSWAT had those capabilities. Thanks for the comment!
Some of our customers are on your list! But otherwise, good recap thanks.
Great article. You missed including SecOps Solution https://secopsolution.com which has it's own vulnerability scanner. Would be great to include that too.
Hi Ashwani. Good to know - I was not previously aware of SecOps Solution. Thanks for the comment!
Nice article - though you omitted specialised solutions like ours (StorageGuard by Continuity Software) in the storage and backup (security misconfiguration and vulnerability) space - a gap in existing OS & Network focussed tools (not running authenticated scans on the above systems).
Hi Dean. Good point. It might be worth exploring capability gaps in a future article. Thank you for your comment!
Excellent David! Thank you for sharing your knowledge.