Understanding Vulnerability Management

No organization wants its name in the headlines because of a security incident or data breach, but major security incidents occur globally on a near-daily basis. The threat landscape is daunting. Industrious criminals know how to exploit software vulnerabilities and are always evolving techniques to take advantage of security gaps.
Vulnerability management tools are part of a larger arsenal to help organizations in the fight against cybercrime. They assist with creating airtight applications and systems early in the software development lifecycle. They enable the identification, classification, prioritization, and remediation of threats.
In the recently released Key Criteria Report for Evaluating Vulnerability Management Tools, Iben Rodriguez and Geoff Uyleman dive in to vulnerability management tools and discover that as the market matures, security products are adding more capabilities and there is an increasing overlap that blurs the lines of traditional product categories.
“Vulnerability management tools’ list of features and capabilities have been expanding in conjunction with the increase in complexity of hybrid architectures and ephemeral resources,” says Rodriguez. “As cybersecurity is a rapidly evolving space, we want to draw attention to the emerging technologies described in the report. As we move forward, we will observe the maturation and adoption of those technologies, which will position these features as key criteria for future reports.”
In the quest for enhanced security posture, organizations are getting more serious and also embracing a movement known as DevSecOps, which is the philosophy and process of building security into software at the outset of development.
“Security solutions offering vulnerability management capabilities are starting to offer needed features that help developers find issues sooner in the software development lifecycle (SDLC) before they get rolled out into production,” says Rodriguez. “Machine Learning and Artificial Intelligence help eliminate false positives, making the job of a security analyst much easier as they can focus on the most important issues first.”
The report says that when assessing vulnerability management tools, the most important aspects for the solutions include how to identify vulnerabilities across the entire IT estate, how to integrate the solution on the left side of the software development lifecycle to address vulnerabilities in the initial phases of the process, and how to ensure the most important issues are prioritized through a mature vulnerability management program that includes policy compliance and risk management.
The policy compliance piece is particularly important, notes Rodriguez.
“We’re making a special emphasis to encourage both vendors and customers to consider policy compliance to be part of a vulnerability management program. This has traditionally not been part of the contracts for outsourced VM programs.”