This month we are looking at an important piece of the information assurance puzzle. Vulnerability management is an emerging product area and, for the most part, it still is fragmented. This year we will stick with the two major fragments – vulnerability assessment and patch management – but I foresee next year looking at the genre as a coherent vulnerability management whole.The issues that are driving yet another convergence in our marketplace this time are cost and integration of functionality. That should be no surprise given that the discovery of vulnerabilities often suggests the need for some patching. In fact, several of the products that we look at on the vulnerability assessment side of this month's reviews offer that functionality, at least to the extent of interfacing directly with a patch management application.
One of the major issues with vulnerability assessment is the positioning of penetration testing as part of the vulnerability assessment protocol. As we will discuss in the Group Test, that still seems to be a bit of a rarity in the vulnerability assessment marketplace. However, this is a critical issue for a lot of reasons. For example, if we look at the overall vulnerability management paradigm, we find that it is only a piece of the risk management function. Marrying vulnerability management to threat management gives us the beginnings of an understanding of the risks inherent in our systems.
Makers of SIEMs are beginning to acknowledge this by way of including vulnerability assessment results, along with threat assessment results, in a unified risk correlation. Understanding which of the vulnerabilities discovered in an enterprise are exploitable is very important when analyzing levels of risk. If we have an exploitable vulnerability that is reachable by a threat, we have a problem. If the vulnerability is not exploitable – even through the use of a chained exploit – we probably don't have as immediate a problem as we would if it was. Penetration testing is, in my view, the only way to determine exploitability.
Patch management is a whole discipline in itself and demands a solid enterprise view since patching may be necessary for endpoints, as well as servers. From a practical perspective, we usually think about patch management in terms of servers, but it is not necessary to limit our scope that much, especially in some of the more critical applications – such as browsers – that we find in the typical enterprise. We learned last year that even innocuous applications – pervasive though they may be – such as the Adobe Acrobat/Reader discovered recently.
This month, our reviewers looked at a large number of vulnerability assessment tools and a far fewer number of patch management tools. However, SC Lab Manager Mike Stephenson reports that he saw far more vulnerability assessment tools with patch management hooks or capabilities than in prior years, so we can say safely that the trend toward convergence is beginning. The labs were quite busy this month, especially since we were testing during the holidays and I want to thank our vendors who went out of their way – and disrupted holiday breaks – to get products to us, offer technical support and respond to our compressed schedule.Everyone of our products this month is, in its own way, a solid offering, and we think that this month you'll find answers to some important questions about the direction of both vulnerability assessment and patch management tools. This is an important pair of security groups and some tools do specific tasks better than others. All-in-all, though, this is a great way to match your requirements against the tools available in the marketplace. Even though there must be Best Buys, Recommendeds and Lab Approveds, virtually all of these products have niches that may be exactly what you're looking for. This is what we expect as a genre matures – we have watched this as other product groups have converged – and this signals the beginning of a similar convergence in vulnerability management.