Whether your organization prefers cloud-hosted or on-premises vulnerability management, you should expect to have access to a robust set of capabilities, regardless of the deployment model. There are some key capabilities that you’ll want to look for in any vulnerability management solution solution.
The “must have” capabilities are fairly common between solution providers, for example, performing multiple types of assessments, such a vulnerability scanning, configuration auditing, malware detection and web application scanning. There are areas that often differ and are worth spending some time exploring. These include:
How does the vendor license key capabilities? Is everything included in the software license fee or do you license modules for different types of assessments differently? Depending on your goals and what you need, one approach will likely be more attractive for you than the other.
What assets can the product scan? IT environments are constantly changing. Like most organizations, you likely have a mix of assets that you manage on-site, some in a cloud like Amazon Web Services or Microsoft Azure, and others that you might want to work into your vulnerability management program, such as containers, mobile devices and web applications. Depending on your mix of assets and where they are located, you might want to look for specialized vulnerability management solutions for different environments or look for an all-in-one solution.
How does it help you meet compliance mandates? If your organization falls under a compliance mandate or framework in which doing regular vulnerability assessments is a requirement (e.g., PCI DSS, HIPAA), you’ll want to know how a vulnerability management solution can help you meet their requirements. For example, does it come with pre-defined compliance templates?
How does it prioritize vulnerabilities? Every vulnerability management solution will find vulnerabilities, and most will find a lot of them. Few organizations are able to fix 100% of what’s discovered 100% of the time. Look at the options in different solutions that could help you prioritize vulnerabilities. What search filters are available? Does the solution offer dashboards and reports to help give you insight into vulnerability data.
How does the product manage credentials? Running credentialed scans has a number of benefits over simply probing a service remotely. A credentialed scan will find client-side vulnerabilities and can even query a local host to see if a patch for a given vulnerability has been applied. What options are available to make credentialed scanning easy?