My comments on Forrester’s “Vulnerability Management vendor landscape 2017”. A top consulting company, Forrester Research, recently published report “Vendor Landscape: Vulnerability Management, 2017“. You can read for free by filling a small form on Tenable web site.
What’s interesting in this document? First of all, Josh Zelonis and co-authors presented their version of VM products evolution. It consists of this steps (I have reformulated them a bit for the copyright reasons) :
- Initial fear of automated vulnerability assessment tools
- Mid-1990s and first productized offerings
- Authenticated scanning dramatically improved accuracy of scans
- Application scanning (DAST)
- Security assessment of software containers and DevOps in general.
As you see, the last one is about containerization. And it is now presented only in Tenable.io/FlawCheck. 😉
They also stated that this features are essential for today’s Vulnerability Management (VM) solutions:
- Application security
- Authenticated scanning
- Endpoint agent
- Configuration auditing
- Container registries
- Prioritization based on threat intelligence
- Prioritization based on business context
Well, I am not fully agree with this version of VM history. As well as with set of features. I have marked with bold features that are, in my opinion, strongly related to VM. I see Web Application Scanning (WAS) and Container Analysis, as well as different form of SIEM-like interfaces for prioritizing vulnerabilities as attempts of traditional VM vendors to diversify their main vulnerability detection business, that now is seems like a commodity. In fact, it’s not – vulnerability scanners have very different knowledge bases and thus final scan results. But still nobody wants to be Tenable anymore.
From the other hand, technologies that make possible to assess hosts without running commands on them directly, often with administrative privileges required, and installing agents on the host are more than useful. So, this new approaches in Docker container (and other forms of virtualization) security seem very interesting. And maybe traditional VM vendors have natural advantages there. Because they already know what weaknesses they will need to search using just another “transport”.
The same thing with WAS. Traditional VM scanners often have unauthenticated “pentest” checks (especially for products with web GUI), that can be a good natural basis for developing WAS functionality.
Prioritization is a bit different, because, IMHO, it very much depends on the dynamic information about IT assets of the organization. At current moment I do not believe that it can work effectively out of the box for large and “complex” organizations. But for some smb it might work quite well.
I do NOT believe these are the next steps is the VM products development comparable with authentication scanning. WAS, container assessment tools and vulnerability piotization tools are just products of different type. But if VM vendors can do it all well bringing an additional value, why not.
The authors list the significant traditional VM vendors. With company descriptions. Descriptions are pretty good. If you haven’t heard about some of them vendors, this report might be quite useful.
- Beyond Security
- BeyondTrust
- Digital Defense
- Outpost24
- Qualys
- Rapid7
- SAINT
- Tenable
- Tripwire
- Trustwave
But this is certainly not all existing global VM vendors. For example, there is no Greenbone Networks, Positive Technologies, AltxSoft, SecPod, F-Secure, etc 😉
In addition, authors represented vendors that do not make scans by themselves, but can effectively analyze and prioritize the results of scanning:
- Bay Dynamics
- Core Security
- Kenna Security
- NetSPI
- Skybox
In general, it’s a rather interesting report that raises interesting topics. Thank you, Forrester! Thanks Tenable for the opportunity to read it for free!
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: Qualys new look and new products | Alexander V. Leonov