Laptop Displaying the GigaOm Research Portal

Get your Free GigaOm account today.

Access complimentary GigaOm content by signing up for a FREE GigaOm account today — or upgrade to premium for full access to the GigaOm research catalog. Join now and uncover what you’ve been missing!

Key Criteria for Evaluating Continuous Vulnerability Management Solutionsv2.0

An Evaluation Guide for Technology Decision Makers

Table of Contents

  1. Summary
  2. Continuous Vulnerability Management Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Chris Ray

1. Summary

Vulnerability management (VM) is a mature component of the cybersecurity ecosystem. It has become a commodity function, an expected part of every organization’s cybersecurity program. It aids in the discovery of hardware and software assets, identifying weaknesses that attackers can leverage to overcome elaborate security controls and countermeasures.

For all of the value VM creates, legacy versions of it have two primary limitations. First is its focus on infrastructure, such as network devices, servers, and desktops, and the applications that run on top of it. This infrastructure is still a vital part of a complete VM program, but it has limited value for identifying vulnerabilities in other common and emerging technologies.

Second is the fact that it is a point-in-time reference of an organization’s vulnerabilities. A scan is run, data from the scan is gathered and analyzed, and then plans are made to remediate vulnerabilities. In a modern development operations (DevOps) environment, this snapshot of vulnerabilities will age poorly. It’s very likely that what exists today will not exist tomorrow, or could be transient and come and go. Because of these challenges, as well as others, legacy VM has difficulty supporting DevOps practices.

The evolutionary next step in this space is continuous vulnerability management (CVM). It starts with the network-based infrastructure and application scanning of legacy VM, then extends this process with a continuous approach that now includes scanning container images, infrastructure as code (IaC) manifests, cloud configurations, cloud identities, and other cloud-native technologies. We believe that CVM has now superseded legacy VM techniques and methodologies due to the widespread adoption of public cloud resources and DevOps practices.

This GigaOm Key Criteria report details the criteria and evaluation metrics for selecting an effective CVM solution. The companion GigaOm Radar report identifies vendors and products that excel in those criteria and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading CVM offerings, and help decision-makers evaluate these platforms so they can make a more informed investment decision.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.