“Neither Rapid7”. It’s from the interview of HD Moore, founder of the Metasploit and ex-CRO of Rapid7, that he recently gave to Paul Asadoorian, ex-Product Strategist Tenable, in the latest episode of “Startup Security Weekly”. It’s a great show, strongly recommend it, as well as “Enterprise Security Weekly” and others. See all subscription options available here.
The most interesting part for me is 00:05:00 till 00:10:00. Talking about the best areas for security startups, HD Moore recommended to take a close look on cloud-based WAFs, like Signal Sciences, Cloudflare. It’s relatively easy to find customers for such projects. However it’s very expansive to build it up and investments are required.
HD Moore doesn’t see lot’s of folks building new content-based security products, such as Tenable, Rapid7, Metasploit. It makes him sad and me either. Instead of regular updates of security content and signatures, new companies rely more on things like machine learning. It’s a good start, but it won’t solve all the problems.
Well, not only in Russia Vulnerability Management is not a trend, but even in the US.
Furthermore, “Tenable doesn’t want to be Tenable anymore, neither Rapid7”. VM Vendors are trying to find the ways to get out of their market now. The fact that VM product is 10% better than can’t impress customers. They may be impressed only by something related to Web App security, advanced risk assessment, etc.
I agree that the situation looks exactly as HD Moore describes. Most of the classical VM vendors are trying to move to new types of products: SIEM, AST, WebApp scanners, even Anti-APT solutions. Perhaps they are motivated by the fact that Vulnerability Management is becoming a commodity and difference in 10 percent doesn’t solve nothing.
In fact it’s not. The difference between VM solutions is significant. But you can see it only if you compare them properly. Vulnerability Scanner is mostly a knowledge base. And some scripts that make a vulnerability detection, using this knowledge base. But have you ever seen VM vendor writing about their KB and vulnerabilities they can and, even more interesting, they can’t detect? Take Gartner MarketScope for Vulnerability Assessment. There’s almost nothing about the knowledge base and detection quality – the main feature of the products.
When VM vendor stores vulnerability detection plugins in parsable form – it’s great. That’s mean, that there is a possibility to predict what the product can and can’t detect. Hovewer, if you even compare knowledge bases of two scanners, OpenVAS and Nessus, both KBs are available in Vulners, by CVE IDs plugin references, you will find out a great differences: thousands of CVEs that Nessus can detects, and OpenVAS can’t and vise versa. Vulnerability Scanner knowledge bases are far from completeness. Even if we ignore at the differences of the platforms: different detection plugins required for the same CVE for Linux, Windows, different network devices. Even if we ignore plugin types: local security check and remote security check are completely different but refer to the same CVE id.
Who destroys the VM market? The customer who does not care about scan quality? In my opinion, it’s the VM vendor, who sell, in fact, knowledge base, with no emphasis on it’s quality and therefore devalue it.