GigaOm Key Criteria for Evaluating Continuous Vulnerability Management (CVM) Solutionsv4.0

An Evaluation Guide for Technology Decision-Makers

Table of Contents

  1. Executive Summary
  2. CVM Sector Brief
  3. Decision Criteria Analysis
  4. Analyst’s Outlook
  5. About Chris Ray

1. Executive Summary

A decade ago, vulnerability management relied primarily on network-based scanning, which used common TCP and UDP ports to gather data. That approach, similar to port mapping technology like Nmap, generated substantial information but often required expertise to transform it into actionable insights. The data was typically cross-referenced with known vulnerabilities using taxonomies based on common vulnerability and exposures (CVEs), the common vulnerability scoring system (CVSS), and common weakness enumeration (CWE). This process helped identify deviations from best practices and organizational baselines.

However, network scanning had limitations in terms of accuracy, often providing educated guesses rather than definitive findings. To address this, some solutions incorporated agent-based approaches, installing software on endpoints to collect higher-quality data with fewer false positives. Legacy vulnerability scanning also attempted to prioritize findings using CVE or CVSS scores, along with tagging methods like “internet-facing” to identify critical vulnerable assets.

While network scanning and agent-based data collection remain crucial components of vulnerability management, they fall short when it comes to modern IT estates. Today’s environments leverage infrastructure as code (IaC) technologies, containerized workloads, serverless functions, and cloud-based services, all of which significantly impact the vulnerability landscape. Continuous vulnerability management (CVM) addresses this gap by providing continuous polling of cloud services, keeping pace with rapid changes in cloud infrastructure.

The evolution from legacy techniques to modern CVM involves integrating previously independent processes into a unified system. For instance, static application security testing (SAST) and dynamic application security testing (DAST) were once separate from vulnerability management, often handled by developers with limited security involvement. CVM now incorporates SAST and DAST data alongside network scan and agent-based findings, yielding a more comprehensive view of an organization’s security posture.

Moreover, CVM addresses the growing concern of application composition security. With open source libraries and packages becoming common attack vectors, some CVM solutions are able to scan application code to identify and assess vulnerabilities in open source components. This capability bridges a critical gap because vulnerability data from application scanning was often reviewed differently from network scanning data, leading to deficiencies in the overall security process.

The integration of these various data sources and methodologies into a single, continuous process marks the core advancement of CVM over legacy practices. By providing a holistic, real-time view of vulnerabilities across an organization’s entire IT ecosystem, CVM enables more effective risk management and resource allocation. It allows organizations to prioritize remediation efforts based on a comprehensive understanding of their security landscape, factoring in both traditional infrastructure vulnerabilities and emerging risks in modern, cloud-native environments.

This evolution in vulnerability management reflects the changing nature of IT infrastructures and the need for security practices to keep pace with rapid technological advances. As organizations continue to adopt cloud services, containerization, and other modern technologies, CVM provides a critical tool for maintaining robust security postures in increasingly complex and dynamic environments.

Business Imperative
Implementing CVM is crucial for several reasons. In an era of increasing cyber threats, CVM provides a proactive approach to identifying and addressing vulnerabilities before they can be exploited, significantly reducing the organization’s overall risk posture. By prioritizing vulnerabilities based on actual risk and business impact, CVM allows for more efficient allocation of resources, potentially reducing the total cost of security operations. Furthermore, continuous monitoring and rapid remediation of critical vulnerabilities help prevent potential disruptions to business operations that could result from successful cyberattacks.

CVM also helps organizations to meet and demonstrate compliance with various regulatory requirements and industry standards, which is increasingly important in many sectors. A robust CVM program can be a differentiator in industries where security is a key concern for customers and partners, providing a competitive advantage. Additionally, as organizations undergo digital transformation, CVM provides the necessary security foundation to support rapid innovation and adoption of new technologies. In essence, CVM is more than a security tool: it’s a strategic business enabler that allows organizations to manage cyber risk effectively while pursuing growth and innovation in an increasingly complex digital ecosystem.

Sector Adoption Score
To help executives and decision-makers assess the potential impact and value of a CVM solution deployment to the business, this GigaOm Key Criteria report provides a structured assessment of the sector across five factors: benefit, maturity, urgency, impact, and effort. By scoring each factor based on how strongly it compels or deters adoption of a CVM solution, we provide an overall Sector Adoption Score (Figure 1) of 4.4 out of 5, with 5 indicating the strongest possible recommendation to adopt. This indicates that a CVM solution is a very credible candidate for deployment and worthy of thoughtful consideration.

The factors contributing to the Sector Adoption Score for CVM are explained in more detail in the Sector Brief section that follows.

Key Criteria for Evaluating CVM Solutions

Sector Adoption Score

1.0

Deters
Adoption

Discourages
Adoption

Merits
Consideration

Encourages
Adoption

Compels
Adoption

Figure 1. Sector Adoption Score for CVM

This is the fourth year that GigaOm has reported on the CVM space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Key Criteria report highlights the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) for selecting an effective CVM solution. The companion GigaOm Radar report identifies vendors and products that excel in those decision criteria. Together, these reports provide an overview of the market, identify leading CVM offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.