Sunday, September 1, 2013

Vulnerability Assessment Products Evaluation & Selection Criteria

Vulnerability Assessment 

is very critical nowadays,each organization care about assessing overall security posture in order to asses risks correctly.

It's not a simple process it is a complete life cycle of vulnerability management.To do a appropriate vulnerability assessment you need the correct solution.During my career I evaluated certain products not all the products existing in market .I came to this short list in order to select the right solution from my point of view.
I would like to share these criteria to select Vulnerability Scanner to mange this for you enterprise you can consider it as a simple buying guide.Please share your comments or additions if you want to add any to these criteria.

Vulnerability Assessment Selection Criteria 

·         Asset Management

§  Discover and identify all assets, hosts, operation systems and open services across the network.
§  Real time asset detection.
§  Continuous asset monitoring.
§  Asset prioritization and classification based on (location, business role, value, compliance…).

·         Vulnerability data

§  Support a variety of platforms, applications, and infrastructure devices.
§  Ability to aggregate data from multiple sources (other vulnerability scanners).
§  Address different vulnerabilities , classify misconfiguration and missing patches.
§  Centralized repository for all assets and vulnerabilities .
§  Ability to use third party vulnerabilities reference (CVE,..)
§  Ability to prioritize vulnerabilities on different factors (CVSS, Exploitability, ease of fixing, popularity, type…)
§  Identify vulnerabilities on regular automated schedule.
§  Vulnerability research team and vulnerability updates (reliability ,frequency).

·         Remediation

§  Prioritize and fix vulnerabilities.
§  System grouping to manage remediation.
§  Include a patch management or integrate with third party.
§  Automated patching which includes patch testing.
§  Tracking and verification of remediation .

·         Other

§  Generate full customizable ,detailed reports.
§  Ability to manage the full life cycle of vulnerability management.
§  Product ease of use, performance.
§  Product support and documentation.
§  Required appliances (ability to run in virtualized environment).
§  Does it require any agents ?
§  Ability to integrate with other systems .
§  Product certifications and independent product testing reports.
 
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)