Laptop Displaying the GigaOm Research Portal

Get your Free GigaOm account today.

Access complimentary GigaOm content by signing up for a FREE GigaOm account today — or upgrade to premium for full access to the GigaOm research catalog. Join now and uncover what you’ve been missing!

GigaOm Radar for Continuous Vulnerability Managementv2.0

Table of Contents

  1. Summary
  2. Market Categories and Deployment Types
  3. Key Criteria Comparison
  4. GigaOm Radar
  5. Vendor Insights
  6. Analyst’s Take
  7. About Chris Ray

1. Summary

Vulnerability management is a mature component of the cybersecurity ecosystem. It has become a commodity function, an expected part of every organization’s cybersecurity program. It aids in the discovery of both hardware and software assets, identifying weaknesses in the assets that attackers might leverage to overcome elaborate security controls and countermeasures.

For all of the value vulnerability management creates through risk reduction, legacy versions of it have two primary limitations. The first is a focus on physical infrastructure—network devices, servers, and desktops—and the applications that run on top of that infrastructure. This is still a vital part of a complete vulnerability management program but has limited value in identifying vulnerabilities in other common and emerging technologies.

The second limitation is the fact that it’s a point-in-time reference of an organization’s vulnerabilities. A scan is run, data from the scan is gathered and analyzed, and plans are then made to remediate vulnerabilities. In a modern development operations (DevOps) environment, this snapshot of the vulnerabilities will age poorly. It’s very likely that what exists today will not exist tomorrow, or worse, could be transient and come and go. Because of these challenges as well as others, legacy vulnerability management will have difficulties supporting DevOps practices.

The evolutionary next step in this space is continuous vulnerability management. It starts with the network-based infrastructure and application scanning of legacy vulnerability management, then extends this with a continuous approach that now includes scanning container images, infrastructure as code (IaC) manifests, cloud configurations, cloud identities, and other cloud-native technologies. We believe that continuous vulnerability management has now superseded legacy vulnerability management techniques and methodologies due the widespread adoption of public cloud resources and DevOps practices.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.