Laptop Displaying the GigaOm Research Portal

Get your Free GigaOm account today.

Access complimentary GigaOm content by signing up for a FREE GigaOm account today — or upgrade to premium for full access to the GigaOm research catalog. Join now and uncover what you’ve been missing!

Key Criteria for Evaluating Continuous Vulnerability Management Solutionsv3.0

An Evaluation Guide for Technology Decision-Makers

Table of Contents

  1. Summary
  2. Continuous Vulnerability Management Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Chris Ray

1. Summary

Traditional vulnerability management is an essential part of many cybersecurity programs. It aids in the discovery of hardware and software assets and identifies weaknesses that attackers could leverage to overcome an organization’s security defenses. By regularly identifying and mitigating vulnerabilities, organizations can reduce their attack surface and minimize both the possibility and impact of security breaches. It also helps organizations comply with various regulatory requirements and industry standards, such as HIPAA, PCI-DSS, and ISO 27001.

However, for all of the value traditional vulnerability management provides, it has two primary limitations.

  • The first is its focus on infrastructure, such as network devices, servers, and desktops, and the applications that run on top of this infrastructure. This is still an important part of a complete vulnerability management program, but it limits the value by not identifying vulnerabilities in other common and emerging technologies.
  • Second, it is a point-in-time reference to an organization’s vulnerabilities. A scan is run, data is gathered and analyzed, and then plans are drawn up to remediate vulnerabilities. In a modern DevOps environment, this snapshot of vulnerabilities will age poorly. It is very likely that what exists today will not exist tomorrow or, worse, could be transient and only exist at certain times. Legacy vulnerability management will have difficulty supporting DevOps practices.

Modern vulnerability management solutions start with the network-based infrastructure and application scanning foundation of legacy tools, then extend these with a continuous approach that includes scanning container images, infrastructure as code (IaC) manifests, cloud configurations, identities, and other cloud-native technologies. We believe that continuous vulnerability management has now superseded legacy techniques and methodologies.

This is the third year that GigaOm has reported on the continuous vulnerability management space. This report builds on our previous analyses and considers how the market has evolved over the last year.

This GigaOm Key Criteria report details the capabilities (table stakes, key criteria, and emerging technologies) and non-functional requirements (evaluation metrics) for selecting an effective vulnerability management solution. The companion GigaOm Radar report identifies vendors and products that excel in those capabilities and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading vulnerability management offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.