During our work to refresh existing Vulnerability Management and Vulnerability Assessment research papers (here and here – GTP access required) we (Anton Chuvakin and I) talked with vendors on the VA space and also with many organizations in very different levels of maturity in VM. An interesting thing we noticed is how much what is considered “best practices” in VA and VM have NOT been changing. That’s right. In a world as dynamic as Infosec, we have a group of practices done in the same way as 1, 5 or even 10 years ago. Sure, there are a few changes here and there, but most processes, recommendations and even tools are not very different than what we used to consider best practices in the past. What does that mean? Have we reached a plateau (should I say “optimized level”? Commoditization?) on those practices?
Actually, should we be seeing any change?
I was expecting deeper changes caused by the adoption of cloud computing, mobile technologies and devops practices, but it seems that those things have just not been enough to disrupt the VA/VM world. I believe it is because those technologies and trends, although well advanced in their Hype Cycles, are still not widely used by all types and organization sizes. Yes, many organizations have stuff running in the cloud, but for a vast number it’s just an exploratory thing, with no production or critical systems involved. For those, dealing with the challenges of doing VA in the cloud is not a problem big enough to cause them to review their entire VM program.
If the external drivers are not strong enough yet, my next question is about the VA/VM market itself: why is it not innovating enough to change the best practices? Well, there is some innovation. There are vendors trying to bring modern data analytics and integration with Threat Intelligence to vulnerability prioritization. Is this enough innovation? It certainly helps organizations trying to find out what to fix next, but it is certainly not market disruption material. Just another evolutionary step.
Eventually we should also ask: Should we bother? Apart from a few radical points of view, most of us understand VM/VA as a critical component of Security. You must do it, and doing it well generally means less risk to the organization. But once it is being done decently, is it worth trying to do it better or does it make more sense to invest the money and resources in other security practices?
I believe this is the key answer about the lack of innovation on Vulnerability Management. Most organizations are doing it, but if you ask them where they should be investing the next security dollar, they will tell you it is not there.
There is no external factor breaking everything and forcing us to redesign how we do it. There is no money out there to be spent with the coolest new VM/VA product. And finally, let’s confess, it’s not the sexiest thing to work with. With all that together, I’m really not surprised that VM/VA is still the same after all those years.