The Forrester Wave Vulnerability Management

8/4/2019 The Forrester Wave Vulnerability Management

1/15

Making Leaders Successul Every Day

J 15, 2010

The Frrester Wve: VertMgemet, Q2 2010 Che Wg, Ph.D.

r Secrt & Rsk Presss
http://www.forrester.com/


2/15

2010, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Inormation is based on best availableresources. Opinions refect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar,and Total Economic Impact are trademarks o Forrester Research, Inc. All other trademarks are the property o their respective companies. Topurchase reprints o this document, please [email protected]. For additional inormation, go to www.orrester.com.

Fr Secrt & Rsk Presss

ExECuTiVE SuMMaRy

In Forresters 53-criteria evaluation o vulnerability management vendors, we ound that the market is

rie with mature products. Qualys led the pack because o its strong vulnerability assessment capability,

orward-thinking strategy, and exceptional customer reviews. Rapid7, Lumension, McAee, and nCircle

are a notch down, but all turned in solid scores that landed them in the Leaders section. eEye Digital

Security, enable Network Security, and Critical Watch are ranked as Strong Perormers. Tese products

may lack platorm diversity, have slightly weaker application-level scanning capability, or do not supportcomprehensive policy compliance. However, all o the products we evaluated have mature vulnerability

assessment unctionality. Given this, I security proessionals should choose a vulnerability management

product based on the more cutting-edge unctionality, such as support or remediation and application-

level scanning, rather than on traditional network and system vulnerability management unctions.

TablE oF ConT EnTSVeraiit Maaemet Is A Core Fctio

For IT Secrit

Vert Mgemet Prdcts Hve

icresg brd Fctt

Veraiit Maaemet Vedor Evaatio

Overview

We used Three Dmess T assess Vedrs

or Evt Emphszed Cmprehesve

Cptes

Evaated Vedors Reder Matre Sotios

Vedor Proes

leders ofer Mtre Sts

Strg Perrmers Prvde Rst Techc

atertvesother nte Vedrs Rd ot The

Vert Mgemet Spce

Sppemeta Materia

noTES & RESouRCESFrrester cdcted prdct evts

etwee Mrch d M 2010 d tervewed

mre th 20 vedr d ser cmpes,

cdg Crtc Wtch, eEe Dgt Secrt,

ibM, lmes, Mcaee, Permeter eSecrt,

Qs, Rpd7, Sec, d Tee netwrk

Secrt.

Reated Research Docmets

Mrket overvew: Cet Mgemet Stes

J 29, 2009

Mrket overvew: Secrt irmt

Mgemet (SiM)

apr 30, 2009

opertzg appct VertMgemet

Ferr 29, 2008

J 15, 2010

The Frrester Wve: Vert Mgemet,Q2 2010Qs leds; Rpd7, Crce, Mcaee, ad lmes Fw Chexi Wa, Ph.D.

wth Stephe brs d ldse Ct

2

3

4

7

12
mailto:[email protected]://www.forrester.com/http://www.forrester.com/go?docid=53313&src=56932pdfhttp://www.forrester.com/go?docid=53864&src=56932pdfhttp://www.forrester.com/go?docid=53864&src=56932pdfhttp://www.forrester.com/go?docid=44663&src=56932pdfhttp://www.forrester.com/go?docid=44663&src=56932pdfhttp://www.forrester.com/go?docid=44663&src=56932pdfhttp://www.forrester.com/go?docid=44663&src=56932pdfhttp://www.forrester.com/go?docid=53864&src=56932pdfhttp://www.forrester.com/go?docid=53864&src=56932pdfhttp://www.forrester.com/go?docid=53313&src=56932pdfhttp://www.forrester.com/http://www.forrester.com/mailto:[email protected]


3/15

2010, Frrester Reserch, ic. Reprdct PrhtedJ 15, 2010

The Frrester Wve: Vert Mgemet, Q2 2010


2

VulnERAbIlITy MAnAgEMEnT IS A CORE FunCTIOn FOR IT SECuRITy

Vulnerability management, comprised o vulnerability assessment, conguration compliance

scanning, and remediation support, is an important I security unction. In Forresters 2009 security

survey, 42% o I security proessionals told us that they were ully responsible or vulnerability

management, while another 29% said they were mostly responsible (see Figure 1).1

Forrester sees continued interest and a sustained level o investment in vulnerability management

capabilities, because:

Treats do not let up. Attacks exploiting security vulnerabilities or nancial gain and criminalagendas continue to dominate headlines. Statistics rom Microso bulletins and the National

Vulnerability Database (NVD) suggest that the time it takes to release new exploits or a known

vulnerability has decreased signicantly in the past ve years. Tis rapid release leaves more and

more systems vulnerable to exploit attacks.

Regulations demand it. Many government and industry regulations, such as PCI andSarbanes-Oxley (SOX), mandate rigorous vulnerability management practices.2 Insight into an

organizations vulnerabilities is key to a proactive understanding o ones inrastructure risks. As

a result, regulatory requirements will continue to drive demand or vulnerability management

technologies.

Mature organizations treat it as a key risk management component. Organizationsthat ollow mature I security principles understand the importance o risk management.

Vulnerability assessment and management is an essential piece or managing overall I risk.

Beyond an established vulnerability management practice, a mature organization should employadvanced analytics and perorm vulnerability trending and remediation tracking to urther

control and manage its inrastructure risks.

Fire 1 iT Secrt Presss are Respse Fr Vert Mgemet

Source: Forrester Research, Inc.56932

Security is fully responsible 400 42%

Count

To what extent is your firms IT security group responsible for threat and vulnerability management?

%

Security is mostly responsible 281 29%

Security is about half responsible 168 18%

Security is slightly responsible 70 7%

Security is not at all responsible 24 3%

Dont know/does not apply 10 1%

Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2009

Base: 953 North American and European IT security decision-makers


4/15

2010, Frrester Reserch, ic. Reprdct Prhted J 15, 2010



3

Veraiit Maaemet Prodcts Have Icreasi broad Fctioait

Vulnerability management products started out delivering pure network vulnerability assessment

unctionality. As the market matures, many vendors are looking to adjacent technology areas or

additional growth. Tis has led to a number o market shis, including:

Both vulnerability assessments and endpoint conguration are considered core unctionality.Almost every vulnerability management product today oers unctionality. Some provide

comprehensive mapping rom a wide variety o regulations to specic vulnerability management

and conguration controls.

Application-level scanning capabilities are now a table stake. Application-level scanning,targeting Web applications and databases, is becoming a must-have item in RFPs or

vulnerability management products. While some buyers are happy to procure pure-play

application scanners, many customers look to a single vendor to provide consolidatedvulnerability scanning capability and reports across network/system and applications.

Remediation and security analytics are ast becoming the newest diferentiators. AsI security organizations mature, buyers start to shi rom assessment-only capabilities to

advanced risk-based analytics and remediation management; both are somewhat newer

unctionalities or vulnerability management products.

VulnERAbIlITy MAnAgEMEnT VEnDOR EVAluATIOn OVERVIEW

o assess the state o the vulnerability management market and see how the vendors stack up against

each other, Forrester evaluated the strengths and weaknesses o top vulnerability managementvendors.

We used Three Dimesios To Assess Vedors

Aer examining past research, user need assessments, and vendor and expert interviews, we

developed a comprehensive set o evaluation criteria. We evaluated vendors against 53 criteria,

which we grouped into three high-level buckets:

Current ofering. We analyzed the vendors capability on vulnerability assessment, both at thenetwork/system level and at the application level; conguration compliance assessment; and

any remediation capabilities (or support or remediation). We also looked at eatures such asreporting, perormance, mode o delivery, and support or risk management.

Strategy. Our analysis o each vendors strategy included an assessment o the high-levelcompany strategy, near-term product road map, and the companys plan or a partner ecosystem.

In terms o company strategy, we looked at the vendors vision and its value proposition, how

well it is executing this vision and delivering on the value proposition, and whether the strategy

demonstrates industry thought leadership.


5/15




4

Market presence. We used traditional metrics, such as vendor revenues and customer numbers,to evaluate a vendors market presence. Because this technology is oen delivered via managed

security services, we added criteria to measure each vendors indirect customers rom managed

security services provider (MSSP) partners.

Or Evaatio Emphasized Comprehesive Capaiities

Forrester included eight vendors in the Forrester Wave assessment: Critical Watch, eEye Digital

Security, Lumension, McAee, nCircle, Qualys, Rapid7, and enable Network Security. Each o these

vendors has (see Figure 2):

Both vulnerability and conguration compliance assessment capabilities. odays userorganizations value vulnerability assessment as well as conguration scanning. Tereore, we

consider both o these unctions core to vulnerability management.

Support or remediation. Te product must either possess native remediation capability oroer tight integration with third-party remediation products.

Signicant market presence or notable growth. We ocused on vendors that either have anotable market presence, evidenced by the number o customers or revenues, or ones that are

up-and-coming with strong growth numbers.

We decided to ocus our scope o evaluation on vulnerability assessment and conguration auditing

products. Hence, we did not invite any pure-play Web application scanners, such as IBM and HP, or

any vulnerability intelligence vendors, such as Symantec or 3Com, to participate in this evaluation.

EVAluATED VEnDORS REnDER MATuRE SOluTIOnS

Te evaluation uncovered a market in which many mature solutions exist (see Figure 3):

Qualys leads the pack. Qualys leads on its strategy as well as its execution. Not only didQualys pioneer the SaaS hybrid model or vulnerability assessment, but today it is the largest

vulnerability management vendor in terms o revenues. Its conguration compliance assessment

unctionality, also delivered via Qualys in-the-cloud multitenant architecture, has since

matured and is one o the most advanced in the market.

Rapid7, Lumension, McAee, and nCircle ofer competitive options. Tese our vendorsare a notch down rom Qualys, but each oers strong vulnerability management unctionality

in one aspect or another. Lumension has the strongest strategy/vision due to its portolio o

endpoint remediation products, such as PatchLink. Straddling both assessment and remediation

gives customers a one-stop shop or vulnerability management capabilities. Rapid7 receives


6/15




5

excellent scores or both its technologies and its risk-oriented strategy. nCircles comprehensive

unctionality portolio or vulnerability assessment and conguration compliance earned it a

nod in the Leaders category. McAee is an established vendor in this space, and its mature risk-

based strategy is a unique dierentiator.

eEye Digital Security, enable Network Security, and Critical Watch trail behind. eEye has asolid vulnerability assessment product, but it is a bit weaker on application-level scanning and

support or conguration compliance. enables product has excellent technical unctionality but

lacks comprehensive enterprise support eatures. Critical Watch is the newcomer to the space.

Its integration with ippingPoint is interesting, but the product doesnt have comprehensive

platorm support, and the companys long-term strategy lacks clear dierentiation.

Tis evaluation o the vulnerability management market is intended to be a starting point only. We

encourage readers to view detailed product evaluation spreadsheets and adapt the criteria weightings

to t their individual needs through the Forrester Wave Excel-based vendor comparison tool.

Fire 2 Evted Prvders: Vedr irmt ad Seect Crter

Source: Forrester Research, Inc.

Vendor

Critical Watch

eEye Digital Security

Lumension Security

McAfee

nCircle

Qualys

Rapid7

Tenable Network Security

Product evaluated

FusionVM

Retina CS

Retina Network Security Scanner

Lumension EndPoint Management and Security Suite

Foundstone McAfee Vulnerability Manager

nCircle Suite360

QualysGuard IT Security and Compliance Suite

NeXpose Enterprise

Tenable Unified Security Monitoring

Product version

evaluated

4.4.26

1.1.0

5.11.1

7.0

6.8

N/A

6.10

4.8.0

N/A

Date

evaluated

Q1 2010

Q1 2010

Q1 2010

Q1 2010

Q1 2010

Q1 2010

Q1 2010

Q1 2010

Q1 2010

Vendor selection criteria

Both vulnerability and configuration compliance assessment capabilities

Support for remediation

Significant market presence of notable growth


7/15




6

Fire 3 Frrester Wve: Vert Mgemet, Q2 10


Go online to download

the Forrester Wave tool

for more detailed product

evaluations, feature

comparisons, and

customizable rankings.

Risky

Bets Contenders Leaders

Strong

Performers

StrategyWeak Strong

Current

offering

Weak

Strong

Market presence

Tenable NetworkSecurity McAfee

eEye Digital Security

Critical Watch

Qualys

Lumension

nCircleRapid7


8/15




7

Fire 3 Frrester Wve: Vert Mgemet, Q2 10 (Ct.)

VEnDOR PROFIlES

leaders Ofer Matre Sotios

Qualys leads in market share and innovation. Qualys is the clear leader in this evaluation.Qualys pioneered the SaaS hybrid delivery model o vulnerability management: Fully managed

scanner appliances are deployed on-premise, and the security console is hosted, in a multitenant

ashion, in the Qualys cloud to drive scans, conduct analysis, and produce reports. Once

viewed as radical, this service model now counts some o the largest organizations in the world

as customers. oday, the QualysGuard cloud delivers vulnerability assessment, application-level scanning, and conguration compliance auditing, all rom a centralized multitenant

architecture. Tis architecture helps to deliver scalability and consolidated reporting. Qualys is

also one o the ew vendors in this evaluation that has a ull-eatured conguration compliance

module that provides concrete mappings rom a wide list o regulations to actual I controls.

Qualys has an extensive ecosystem o partners and is rounding out its service oerings by


CURRENT OFFERING

Vulnerability assessment on the network/system level

Application-level vulnerability management

Compliance

Take to market

Remediation and integration with related functionality

Administration and reportingPerformance and operations

Customer reference feedback

STRATEGY

Product strategy

Partner strategy

MARKET PRESENCE

Customer base

Revenues

Forresters

Weighting

50%

25%

15%

25%

5%

8%

8%8%

6%

50%

70%

30%

0%

50%

50%

CriticalWatch

2.99

3.73

1.90

2.10

4.10

2.35

4.003.45

4.33

2.59

2.70

2.34

2.45

2.70

2.20

eEyeDigitalSecu

rity

3.31

3.40

2.90

3.30

3.00

2.95

3.603.85

3.66

3.34

3.20

3.66

3.45

4.50

2.40

McAfee

3.73

3.99

1.60

4.70

3.00

3.95

4.303.35

3.99

3.52

3.75

2.97

3.45

3.50

3.40

LumensionSecurity

3.47

3.19

2.10

4.00

1.90

4.60

4.404.05

3.67

4.03

3.75

4.67

2.80

3.00

2.60

nCircle

3.98

4.19

3.80

4.10

3.00

4.15

4.203.50

4.00

3.34

3.20

3.66

3.25

3.50

3.00

Qualys

3.92

3.74

3.80

4.40

3.90

3.40

3.104.05

4.67

4.24

4.20

4.32

3.93

3.65

4.20

Rapid7

3.87

3.85

5.00

3.10

4.10

3.60

3.804.10

4.33

3.76

3.95

3.33

3.45

3.70

3.20

TenableNetwork

Security

3.83

4.50

3.90

4.20

1.10

1.40

3.704.35

4.34

2.23

3.05

0.33

3.53

3.25

3.80

All scores are based on a scale of 0 (weak) to 5 (strong).


9/15




8

adding a variety o new services, including malware scanning and the Qualys Go Secure

trust seal. Te company surpassed the $50 million mark in 2009, making it the largest market

shareholder in the vulnerability management sector. As one I security director we interviewed

said, While other products can be too expensive or too niche, it is hard to go wrong withQualys. Who should buy Qualys? All but the most conservative organizations.

Rapid7 exhibits strong growth and clarity o vision. Rapid7 is the up-and-coming vendor inthis evaluation. Te company experienced a dramatic surge in business in the past two years,

rendering an impressive 50%-plus year-over-year growth. Rapid7 receives solid scores or its

undamental technology, which is built on top o an expert system that helps to deliver analysis

accuracy. Rapid7 also leads on its strong application scanning capability its the only vendor

in this evaluation whose scanning capabilities can handle Ajax and Web 2.0 technologies.

Rapid7 delivers its unctionality via a consolidated scanning and analysis architecture, which

promises deployment eciency and simplicity. Te acquisition o Metasploit also helps to

strengthen Rapid7s risk analytics and adds a penetration testing tool to its portolio. Te

company has an ambitious vision delivering unied vulnerability management across

network, applications, and databases, with meaningul risk analytics. o execute this vision,

Rapid7 needs to expand its policy compliance capability and strengthen its support or

remediation. oday, Rapid7 is still a small company with revenues south o $20 million. But the

company recently signed OEM deals with two o the largest security and service vendors in the

industry. Tese partnerships will undoubtedly provide a urther boost to the companys position

in the market. Who should buy Rapid7? Organizations that seek a consolidated solution or

network, system, and application-level vulnerability management.

nCircle has a comprehensive vulnerability auditing portolio. nCircles vision is clear and welldened to be the leader in vulnerability and conguration compliance auditing. o this end,

the company has amassed one o the broadest capability portolios in vulnerability auditing. In

particular, nCircles conguration compliance product is among the most sophisticated on the

market today, and its topology analyzer is unique among vulnerability management vendors.

Customers also reported positive reviews or its core vulnerability scanning product, IP360.

For these reasons, nCircle received one o the highest current oering scores. However, some

o nCircles unctionality came via acquisitions, and as a result, its vulnerability assessment

product, IP360, its conguration compliance product, CCM, and its analytics product, the

Suite360 Intelligence Hub, all have disparate code bases and there exists only sparse integration

among the three. IP360 and CCM manage separate scanners, consoles, and databases.

Te Intelligence Hub, which pulls data rom both IP360 and CCM, provides yet another

management console and another database. Customers we interviewed reported a certain level

o deployment complexity and challenges with nCircles suite o products. Customers have

also reported occasional accuracy problems with the companys Web application scanner. o

eclipse its competition, nCircle needs to eliminate the architectural redundancy between its

various modules, strengthen its application scanning capabilities, and urther develop its value

proposition or the Suite360 Intelligence Hub. Who should buy nCircle? Enterprises that have

advanced compliance and risk analytics needs.


10/15




9

McAee delivers strong risk management capabilities. McAee/Foundstone is an establishedvulnerability management vendor. Foundstone championed many early-day innovations in this

space. Te McAee Vulnerability Management (MVM) product today boasts one o the most

UI-conscious interace designs and solid support or translating vulnerability knowledge into

meaningul risk metrics. In addition, MVMs integration with McAee ePolicy Orchestrator

is a nice eature and proves valuable to many ePO users. However, the product itsel needs a

bit o a tune-up: Customers we interviewed mentioned occasional accuracy problems with

their scanners. Te companys scan-based reporting is cumbersome to use. At the close o this

evaluation March 31, 2010 McAee had little in the way o application scanning capability.

However, McAee has alluded to the imminent release o new unctionality to cover this void;

prospective customers should investigate whether McAees new application scanner will suit

their needs. Who should buy McAee? Organizations with a mature risk management strategy

and those that drive I eciency with ePO. Existing MVM customers who have a need to

manage application-level vulnerabilities should also track McAees upcoming product releases.

Lumension has a unique product portolio to deliver an end-to-end vision. Lumension isthe only vendor in this evaluation that has its own endpoint patch management unctionality,

Lumension Patch and Remediation (ormerly Patchlink), and its own GRC product, Lumension

Risk Management. Unlike the other vendors that may have a ocus on assessment, Lumensions

value proposition is much broader instead o dealing with separate consoles rom assessment,

remediation, and compliance, Lumension aims to deliver a consolidated platorm to manage

the lie cycle o vulnerabilities rom discovery to remediation to analytics. While this vision

is unique, Lumensions vulnerability scanning product is clearly designed or technologists,

with very ew extra bells and whistles to boot. When used as a standalone product, its not

quite at par with its competition. Lumensions conguration compliance product, however,has much more sophisticated analytics and reporting capabilities. Compared with the other

products, Lumensions strategies have a decidedly endpoint ocus. Because o the expanse

o its product portolio, Lumension has a great deal o potential to challenge the top players

in the vulnerability management market. Presently, however, the company should work on

streamlining its various products to drive toward a consolidated platorm as well as continue to

invest in the research and development o its vulnerability assessment product. Who should buy

Lumension? Organizations with a ocus on consolidated assessment and remediation strategy.

Stro Perormers Provide Rost Techica Ateratives

enable Network Security has a strong technology ofering. enable is the producer o the onceopen-source Nessus vulnerability scanner. enables portolio, including the Passive VulnerabilityScanner (PVS) and the Log Correlation Engine (LCE), renders strong vulnerability assessment

capabilities. Many technologists we interviewed like what enable has to oer. What enable

lacks are enterprise support eatures, such as executive reporting, advanced risk analytics, and

integration with related products. Who should buy enable? echnology-minded buyers.


11/15




10

eEye Digital Security is evolving its product portolio. With a new management team in place,eEye is overhauling its products. eEyes vulnerability assessment product, Retina, has many

desirable eatures, such as wireless scanning, diverse scan templates, and an extremely fexible

reporting portal. Te product is also attractively priced. eEye has a separate government-acing

product, appropriately named Retina.GOV, which has specic SCAP-related unctionality.3

eEyes endpoint agent executes protection actions, such as application whitelisting, device

control, and local scanning. eEyes high-level vision is similar to that o Lumensions take the

ull lie-cycle approach to vulnerability management. Te value proposition o eEyes endpoint

capabilities, however, is not as clearly dened. eEye needs to leverage on its strength the

vulnerability assessment product and work on a ew enhancements, including increasing

the fexibility o the product, strengthening application-level scanning, and enhancing policy

compliance. Who should buy eEye? Government clients, value-conscious organizations, and

technology-minded buyers.

Critical Watch ofers interesting new capabilities. Critical Watchs FusionVM product has anumber o distinct and innovative eatures, including the CEM structure that provides a fexible

yet powerul organizational ramework or managing scans, reports, and analysis. A key part

o Critical Watchs positioning centers on its integration with ippingPoints rewall product,

which allows FusionVM a deeper insight into mitigation controls. Critical Watch has a relatively

small market share, but the company has garnered a respectable customer base and has shown

steady growth or the past two years. In terms o technology, what Critical Watch needs to

work on is its breadth o platorm support, application scanning capabilities, and support or

endpoint remediation. In terms o company strategies, Critical Watch needs to expand the

reach o its partner network and strive or a clearer value dierentiation against its competitors.

Who should buy Critical Watch? Organizations that have diverse reporting needs and value-conscious large enterprises.

Other notae Vedors Rod Ot The Veraiit Maaemet Space

Beore narrowing our evaluation to eight vendors, we studied a broader set o vendors including

vendors that t squarely in the vulnerability management space and those that oer closely

related unctionality. For this evaluation, we chose to ocus on vendors with a broad vulnerability

management technology solution and those with a sizable market presence. A vendors absence

rom this evaluation doesnt constitute any judgment as to the vendors capabilities or viability.

Generally speaking, other products worth noting all into these loosely dened categories:

Vulnerability assessment. Other vendors in this space include Digital Deense, PerimeterE-Security, RandomStorm, Secunia, rustwave, and IBM. Tese vendors either ail to meet the

inclusion criteria or were omitted in avor o a vendor with a more signicant market presence.

IBM, in particular, is both a vulnerability management technology vendor and a signicant


12/15




11

managed security service provider. IBM/ISS is traditionally an innovator in this space. However,

at the time o evaluation, IBM was in the process o rereshing and upgrading its vulnerability

management portolio and will launch a new oering in Q3 2010. Because o the timing, it

became dicult to include IBM or this evaluation. For that reason alone, IBM is not one o thevendors included in this Forrester Wave.

Vulnerability intelligence. Vulnerability assessment technologies must update their knowledgeo vulnerabilities to stay current, as new vulnerabilities surace constantly. Companies that

provide vulnerability intelligence services include Symantec, Secunia, VeriSign, and 3Com.

Tese vendors were not included in the evaluation because vulnerability intelligence, albeit

important, is not the ocus o this study.

Penetration testing and emulation. Penetration testing or emulation products utilize theknowledge o existing vulnerabilities and demonstrate actual or virtual exploitation. With

penetration testing or emulation, one can much more accurately assess the severity o certain

vulnerabilities. Core Security echnologies and Metasploit (now a Rapid7 company) both provide

automated penetration testing technologies. Core Security and Metasploit can leverage the output

o a vulnerability scanner to cra a specic penetration test, and in turn, they may discover new

vulnerabilities that are otherwise hidden rom regular scanners. RedSeal Systems and Skybox

Security, on the other hand, oer penetration emulation without actual tests on the system.

Remediation. Endpoint patch management and conguration management products sit in thiscategory. Remediation technologies must work hand-in-hand with assessment technologies

to aect mitigation changes. Example products in this category include BigFix, IBM/ivoli,

McAee, LANDesk Soware, Shavlik echnologies, Symantec, and rend Micro.

Web application scanners. We made a conscious decision not to include pure-play Webapplication scanners because the technologies are very dierent. Vendors that have oerings

in this space include Accunetix, Cenzic, HP (WebInspect), IBM (AppScan), and WhiteHat

Security.

Managed security service providers. We did not include any MSSPs in this evaluation, butMSSPs play an important role in this space and their involvement will be increasingly critical

as more and more organizations procure vulnerability management unctionality rom MSSPs.

Many MSSPs resell vulnerability management technologies and provide additional value-added

services. Notable ones include IBM, Verizon Business, and SecureWorks.


13/15




12

SuPPlEMEnTAl MATERIAl

Oie Resorce

Te online version o Figure 3 is an Excel-based vendor comparison tool that provides detailedproduct evaluations and customizable rankings.

Data Sorces used I This Forrester Wave

Forrester used a combination o three data sources to assess the strengths and weaknesses o each

solution:

Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluationcriteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where

necessary to gather details o vendor qualications.

Product demos. We asked vendors to conduct demonstrations o their products unctionality.We used ndings rom these product demos to validate details o each vendors product

capabilities.

Customer reerence calls. o validate product and vendor qualications, Forrester alsoconducted reerence calls with each vendors customer reerences as well as other customers that

we reached out to or reerence inormation.

The Forrester Wave Methodoo

We conduct primary research to develop a list o vendors that meet our criteria to be evaluated

in this market. From that initial pool o vendors, we then narrow our nal list. We choose thesevendors based on: 1) product t; 2) customer success; and 3) Forrester client demand. We eliminate

vendors that have limited customer reerences and products that dont t the scope o our evaluation.

Aer examining past research, user need assessments, and vendor and expert interviews, we develop

the initial evaluation criteria. o evaluate the vendors and their products against our set o criteria,

we gather details o product qualications through a combination o lab evaluations, questionnaires,

demos, and/or discussions with client reerences. We send evaluations to the vendors or their

review, and we adjust the evaluations to provide the most accurate view o vendor oerings and

strategies.

We set deault weightings to refect our analysis o the needs o large user companies and/or

other scenarios as outlined in the Forrester Wave document and then score the vendors based

on a clearly dened scale. Tese deault weightings are intended only as a starting point, and we

encourage readers to adapt the weightings to t their individual needs through the Excel-based

tool. Te nal scores generate the graphical depiction o the market based on current oering,

strategy, and market presence. Forrester intends to update vendor evaluations regularly as product

capabilities and vendor strategies evolve.


14/15




13

EnDnOTES

1 Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2009.

2

PCI DSS has specic provisions or organizations to maintain an active vulnerability management program.Source: PCI Security Standards Council (https://www.pcisecuritystandards.org/).

3 SCAP reers to the Security Content Automation Protocol. SCAP is a suite o specications that standardize

the ormat and nomenclature by which security soware products communicate soware faw and security

conguration inormation. SCAP is a multipurpose protocol that supports automated vulnerability

and patch checking, technical control compliance activities, and security measurements. Goals or the

development o SCAP include standardizing system security management, promoting interoperability

o security products, and ostering the use o standard expressions o security content. Te technical

specication o SCAP is spearheaded by NIS. Source: Stephen Quinn, David Waltermire, Christopher

Johnson, Karen Scarone, and John Banghart, Te echnical Specication or the Security Content

Automation Protocol (SCAP): SCAP Version 1.0, National Institute o Standards and echnology (http://csrc.nist.gov/publications/nistpubs/800-126/sp800-126.pd).


15/15

Forrester Research, Inc. (Nasdaq: FORR)

is an independent research company

that provides pragmatic and orward-

thinking advice to global leaders in

business and technology. Forrester

works with proessionals in 20 key roles

at major companies providing

proprietary research, customer insight,

consulting, events, and peer-to-peerexecutive programs. For more than 26

years, Forrester has been making IT,

marketing, and technology industry

leaders successul every day. For more

inormation, visit www.orrester.com.

Headquarters

Forrester Research, Inc.

400 Technology Square

Cambridge, MA 02139 USA

Tel: +1 617.613.6000

Fax: +1 617.613.5000

Email: [email protected]

Nasdaq symbol: FORR

www.orrester.com

M k g l e d e r s S c c e s s E v e r D

For inormation on hard-copy or electronic reprints, please contact Client Support

at +1 866.367.7378, +1 617.613.5730, or [email protected].

We oer quantity discounts and special pricing or academic and nonprot institutions.

For a complete list of worldwide locations

visit www.forrester.com/about.

Research and Sales Ofces

Forrester has research centers and sales ofces in more than 27 cities

internationally, including Amsterdam; Cambridge, Mass.; Dallas; Dubai;

Foster City, Cali.; Frankurt; London; Madrid; Sydney; Tel Aviv; and Toronto.
mailto:[email protected]:[email protected]://www.forrester.com/

The Forrester Wave Vulnerability Management

Documents

Transcript of The Forrester Wave Vulnerability Management