15 Parameters to Evaluate a Vulnerability Management Tool

To deal with current trend of information security and sophisticated cyber threat we need the most efficient and best suited vulnerability management solution for our infrastructure as well as applications. As vulnerability management deal with people, process and technology; we need to choose each of them carefully. Technology is the pillar which is very vast and we cannot opt for multiple investment on the same. We need to be much cautious while choosing the same. One can take into account following parameters while choosing a vulnerability management solution:
  1. Capability in dealing with Asset Inventory: Does the solution provide an asset inventory database? Is it feasible to extend the database schema to support additional fields, such as asset classification? If not, can the technology integrate with other asset management solution/repositories?
  2. Coverage capability for multiple environment: Capability on handling multiple Operating system. What’s the breadth and platform coverage of the technology? Many technologies can perform operations against the Windows family of products, but you’ll need technologies that can operate in a heterogeneous environment and can support a variety of platforms, applications, and infrastructure devices.
  3. Support for cloud and mobile approach: Does the organization need a vulnerability management tool that scans cloud services, such as software as a service or infrastructure as a service? One need to think of far sighted approach as well.
  4. Scalability: What is the scale of scope to be covered in vulnerability management and whether the tool is capable enough to handle the count of scope? Clarity on capability of tool to handle multiple infrastructure devices, applications etc.  
  5. Ease of Operation: A tool that is incommodious to navigate or presents confusing dashboard information won't be used, at least not to its fullest potential. A vulnerability management tool that requires regular maintenance also becomes a problem for staff that's often already overburdened.
  6. Dealing with false positives & severity: Most of the automated tool flag false positives as some vulnerabilities might not be relevant to organizations or one need to edit the severity of vulnerabilities as well. Does the tool possess capability to deal with false positives and severity customization?
  7. Integration capability: What is the feasibility of the tool integration into existing patch management, configuration management, intrusion detection, and/or monitoring tools and services?
  8. Capability of tool to run non-intrusively: While scanning production infrastructure it is a must to have passive or non-intrusive approach of scan. Whether the tool has capability of safe scan?
  9. Workflow & ticketing system: Does the product have a workflow system that allows to assign and track issues? Can it auto-assign tickets based on rule sets defined (i.e., vulnerability, owner, asset classification, etc.)? These are the must have capability for a vulnerability management solution
  10. Vulnerability research & Update capability: One need to check; how frequently do the vendor release updates? Does the distribution mechanism leverage industry-recognized security communications protocols? Does the vendor have its own vulnerability research team? How has the vendor responded to vulnerabilities in its own products?
  11. Dealing with Zero day vulnerability: Does the tool possess capability to deal with Zero day vulnerability? Do the product possess Predicative analysis of the threat in your environment without the need to perform new scanning?
  12. Reporting: Is the reporting detailed and customizable? Can we generate trend report? What are the report types? Are the output format of report reusable on other tools?
  13. Remediation Policy enforcement: Does the product provide the capability to designate the selected remediation at varying enforcement levels, from mandatory (required) to forbidden (acceptable risk), via a centralized policy-driven interface?
  14. Technical Support: Look for vendors that offer 24/7 support, preferably by phone, and find out if customers can expect an immediate response.
  15. Pricing and licensing: Many tools provide different category of licensing. One need to map the requirement in a cost effective manner.
Considering above 15 factors will definitely help to choose the best VM solution specific to the Organization. 
Authored by Sameer Nanda
Rate this article: 
Average: 2.4 (7 votes)
Article category: