Gartner Blog Network


Our Vulnerability Assessment Vulnerability Management Research Publishes

by Anton Chuvakin  |  November 24, 2015  |  Comments Off on Our Vulnerability Assessment Vulnerability Management Research Publishes

It is with much excitement that I announce that our (Augusto’s and mine) batch of three VA/VM papers have published. The documents are linked below (Gartner GTP access required):

In more detail:

“How to Implement Enterprise Vulnerability Assessment” has these juicy quotes:

  • “VA is a critical part of the VM process, and integrating VA with the next steps in the VM cycle is as important as operationalizing the scanning process.“
  • “The very first step in any VA effort is defining what is expected from the process and what the process will cover (which networks and assets, and which types of vulnerabilities and applications).”
  • “Less mature organizations […] may start with a “let’s start scanning first” approach, only to find out that sorting through the massive output of the scans, identifying asset owners, recognizing false positives and dealing with reporting idiosyncrasies require time and resources.”

“A Guidance Framework for Developing and Implementing Vulnerability Management” contains these gems:

  • “The most critical point in a VM process is the handover of identified vulnerabilities to the team responsible for remediating them.”
  • “No matter how hard you try, you cannot go to a store and purchase vulnerability management (VM). Security processes, unlike appliances, software and services, cannot be acquired in exchange for cash. They can only be established by an organization and then matured to an appropriate level.”

”A Comparison of Vulnerability and Security Configuration Assessment Solutions” features bits such as:

  • “The VA market comprises a clear set of enterprise-ready products that compete for enterprise security budgets. The vendors of those products mostly compete with each other and not with the “long tail” of the remaining VA players.”
  • “Although VA tools have existed for nearly 20 years, selecting the one that will work for your particular environment remains a challenge. Aspects such as architecture, assessment methods, technologies covered and integration options vary from vendor to vendor, and selecting one that fits organization requirements is critical to implementation success.”

Augusto’s blog on these is here.

Now, back to SIEM research! :-)

Past posts on vulnerability management:

Blogs posts with recent paper publications:

Category: announcement  security  vulnerability-management  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.