Not so long time ago Gartner’s report “Vulnerability Management an essential piece of the security puzzle” has become publicly available. Now you can read it for free by filling out a questionnaire on F-Secure website.

At the bottom of the document there is a reference to Gartner G00294756 from 05 December 2016. This document is quite fresh, especially for not very dynamic VM market ;-), and pretty expensive. Thanks for F-secure, we can read it now for free. If you are wondering why this anti-virus company is sponsoring Gartner VM reports: year ago they have bought Finnish VM vendor nScence, and I even did a small review of this product (F-Secure Radar Vulnerability Management solution, F-Secure Radar basic reporting, F-Secure Radar ticketing, F-Secure API for scanning).

Talking about the document, I would like, firstly, to thank Gartner. Do you know who writes most articles about VM? Of course, VM vendors. And we all understand that their main goal is to promote their own products. Reports of independent consulting firms, primarily IDC, Forrester and Gartner, allow us to get some balanced view from the side. It is very important.

Here I would like to comment some theses of the text.

Most of VM products can scan Windows and Linux hosts with “with only minute differences between solutions”

Maybe, but only at first glance.

If you look at VM vendor’s marketing brochure, you will find there, that they support both Windows, and Linux. In fact there are a lot of nuances, some of them:

• What’s about third-party software and software that weren’t installed from official Linux repository?
• How many vulnerabilities may be detected with remote checks (without authentication) and how precisely this checks work?
• What’s about minimization of rights during authenticated scanning?
• What’s about the transparent work of the agents? (as far as I know, only Vulners  supports open source agents)
• What’s about PoC exploitation of founded vulnerabilities. I’ve seen this only for SAP in ERPScan and MaxPatrol.

Make a comparison of Linux/Windows scanning capabilities of different VM products, both actual scan results and knowledge bases and you will be shocked. And this situation is with the most basic software platforms.

I’m not even talking about additional functionality, such as asset management, that only appear in best VM solutions (Tenable.io and Qualys).

It’s difficult for vendors to differentiate based on scanning accuracy and performance

And that’s why “Gartner sees competition increasingly based on pricing, rather than features”. It’s difficult for vendor to convert less common end devices or third-party applications into new sales.

Can you believe in this? Vendors can’t show what they really able to to do and can’t honestly admit what they just can’t do some things . They will be better claim that they can make effective Vulnerability Assessment of everything and try to compete on price. Or even try to get out of the market.

In this situation any scanner developer who will try to make some serious solution won’t be able to feed themselves in this market, just because prices are too low and end-user doesn’t see the difference. Awesome.

For the end-users, this means that it will be hard to find one solution that will work equally well with all the systems. You must be prepared to find gaps in coverage of any VM product. There won’t be one solution for all. Get ready to use and combine results of multiple solutions.

Potential customer base of VM vendors may shrink faster than they develop new capabilities for cloud infrastructures

It seems to me that VM market may shrink only if the OSes will update themselves safely, regularly, fully and automatically as well as auto-configure themselves with best practices. But I don’t see this in real life.

Talking about clouds, I do not see how cloud computing will significantly change the typical office network, in which people are doing, for example, software development.\

People worked using their Linux, MacOS, Windows laptops/desktops before, and, IMHO, will continue to do it. These laptops/desktops will not be massively replaced by thin clients in near future, because it is simply less effective and convenient. This old technologies are slowly dying, but they are still the main cause of infection. Even if it will be hosted on virtual machine somewhere, how could it possibly change the situation?  Well VM vendors will be possible switch to more efficient transports based on the APIs. But the problem of the vulnerable system components and 3d party software will not go anywhere.

Linux will remain main OS for servers. It’s too expansive to update it constantly, because It needs to be tested each time and can break each time. Main reason why we need VM, is to justify a critical need in update.

Сloud storage and other services should be treated with caution, because of hidden costs of migration from them. To be honest, I also don’t believe in prognosis that “by 2020, 60% of vulnerability assessment (VA) scanning for small or midsize businesses (SMBs) will be conducted from cloud-based VA services”. In 2016 it was 10%. It’s not clear for me why people will like to store their vulnerability data in cloud? Especially after all those fails of cloud security services, with CloudFlare, for example.

Every organization uses VM scanners in own way

Some organizations use it only for auditing and others to support IT processes.

Gartner mentioned a “funny” fact: “it is not uncommon for a customer to purchase a tool that does unified vulnerability and configuration scanning, then use it only for vulnerability assessment (sometimes even without credentials)”

But it is interesting to ask: why? Why are they “miss an opportunity to mature their vulnerability management program.” For example end-users might be afraid to run the scanner in authenticated mode with admin credentials. Just because the scanner can break the server.

In conclusion

It’s a pretty interesting document and great mental pabulum. I advise it for all who interested in VM market.

Should you really select the VM product just by reading this document, if you haven’t worked with vulnerability scanners before? It’s a market guide after all.

On the one hand, all vendors listed in document are good enough. Not only Top 3 vendors, that have  70% of the revenue (Rapid7, Tenable Network Security and Qualys), but also Positive Technologies, where I worked earlier and Greenbones Networks, main contributors of OpenVAS project.

But it’s better to consult with someone who has worked in this field and knows most the issues regarding each vendor. And it’s better to start from formulating real VM process that you want and are able to build in the organization. If you need help with this, contact me 😉