Industry Evolution of Modern Vulnerability Management

Vulnerability Management as a function has been around as long as we’ve had sophisticated IT and security organizations. Yet the overall scope and responsibilities of that function have morphed considerably over the past decade. Many organizations used to use a very narrow definition of vulnerability and simply compare configurations and software versions against a database of issues using one of the many commercially available tools. Though this has changed considerably over the last decade as Software Composition Analysis has become more prevalent, companies have shifted to the cloud and to containers, etc.

Some organizations now use a broader definition of vulnerability — starting far to the left of the SDLC with threat models and static and dynamic analysis in pre-production code. Practitioners debate whether asset identification, risk-based vulnerability management, product security, application security, application vulnerability correlation, configuration management, penetration testing, patching, reporting and an assortment of other functions and capabilities should be included in their vulnerability management organizational responsibilities or kept as separate functions (CIS 18 lists them separate and alongside vuln).

Every organization with which we work defines the scope slightly differently. Common across all of them is the goal of lowering risk by identifying and remediating known opportunities for unauthorized access. Vulnerability scanners have advanced considerably, making the actual task of scanning known infrastructure for known vulnerabilities relatively straightforward, but therein lies the rub — you have to know what you want to scan and have a process for dealing with what you find in order for the effort to be worthwhile. Software companies fully understand this challenge and seek to continue developing capabilities to address these needs.

We expect several major trends affecting the Vulnerability Management market to begin coming to fruition in the next year. Each of these will set the stage for continued acceleration of automation capabilities. Read more here: Michael Morgenstern on Medium.

About the Authors

Michael Morgenstern is a Partner and Practice Lead for DayBlink Consulting’s Cybersecurity Group.