8/4/2019 The Forrester Wave Vulnerability Management
1/15
Making Leaders Successul Every Day
J 15, 2010
The Frrester Wve: VertMgemet, Q2 2010 Che Wg, Ph.D.
r Secrt & Rsk Presss
http://www.forrester.com/8/4/2019 The Forrester Wave Vulnerability Management
2/15
2010, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Inormation is based on best availableresources. Opinions refect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar,and Total Economic Impact are trademarks o Forrester Research, Inc. All other trademarks are the property o their respective companies. Topurchase reprints o this document, please [email protected]. For additional inormation, go to www.orrester.com.
Fr Secrt & Rsk Presss
ExECuTiVE SuMMaRy
In Forresters 53-criteria evaluation o vulnerability management vendors, we ound that the market is
rie with mature products. Qualys led the pack because o its strong vulnerability assessment capability,
orward-thinking strategy, and exceptional customer reviews. Rapid7, Lumension, McAee, and nCircle
are a notch down, but all turned in solid scores that landed them in the Leaders section. eEye Digital
Security, enable Network Security, and Critical Watch are ranked as Strong Perormers. Tese products
may lack platorm diversity, have slightly weaker application-level scanning capability, or do not supportcomprehensive policy compliance. However, all o the products we evaluated have mature vulnerability
assessment unctionality. Given this, I security proessionals should choose a vulnerability management
product based on the more cutting-edge unctionality, such as support or remediation and application-
level scanning, rather than on traditional network and system vulnerability management unctions.
TablE oF ConT EnTSVeraiit Maaemet Is A Core Fctio
For IT Secrit
Vert Mgemet Prdcts Hve
icresg brd Fctt
Veraiit Maaemet Vedor Evaatio
Overview
We used Three Dmess T assess Vedrs
or Evt Emphszed Cmprehesve
Cptes
Evaated Vedors Reder Matre Sotios
Vedor Proes
leders ofer Mtre Sts
Strg Perrmers Prvde Rst Techc
atertvesother nte Vedrs Rd ot The
Vert Mgemet Spce
Sppemeta Materia
noTES & RESouRCESFrrester cdcted prdct evts
etwee Mrch d M 2010 d tervewed
mre th 20 vedr d ser cmpes,
cdg Crtc Wtch, eEe Dgt Secrt,
ibM, lmes, Mcaee, Permeter eSecrt,
Qs, Rpd7, Sec, d Tee netwrk
Secrt.
Reated Research Docmets
Mrket overvew: Cet Mgemet Stes
J 29, 2009
Mrket overvew: Secrt irmt
Mgemet (SiM)
apr 30, 2009
opertzg appct VertMgemet
Ferr 29, 2008
J 15, 2010
The Frrester Wve: Vert Mgemet,Q2 2010Qs leds; Rpd7, Crce, Mcaee, ad lmes Fw Chexi Wa, Ph.D.
wth Stephe brs d ldse Ct
2
3
4
7
12
mailto:[email protected]://www.forrester.com/http://www.forrester.com/go?docid=53313&src=56932pdfhttp://www.forrester.com/go?docid=53864&src=56932pdfhttp://www.forrester.com/go?docid=53864&src=56932pdfhttp://www.forrester.com/go?docid=44663&src=56932pdfhttp://www.forrester.com/go?docid=44663&src=56932pdfhttp://www.forrester.com/go?docid=44663&src=56932pdfhttp://www.forrester.com/go?docid=44663&src=56932pdfhttp://www.forrester.com/go?docid=53864&src=56932pdfhttp://www.forrester.com/go?docid=53864&src=56932pdfhttp://www.forrester.com/go?docid=53313&src=56932pdfhttp://www.forrester.com/http://www.forrester.com/mailto:[email protected]8/4/2019 The Forrester Wave Vulnerability Management
3/15
2010, Frrester Reserch, ic. Reprdct PrhtedJ 15, 2010
The Frrester Wve: Vert Mgemet, Q2 2010
Fr Secrt & Rsk Presss
2
VulnERAbIlITy MAnAgEMEnT IS A CORE FunCTIOn FOR IT SECuRITy
Vulnerability management, comprised o vulnerability assessment, conguration compliance
scanning, and remediation support, is an important I security unction. In Forresters 2009 security
survey, 42% o I security proessionals told us that they were ully responsible or vulnerability
management, while another 29% said they were mostly responsible (see Figure 1).1
Forrester sees continued interest and a sustained level o investment in vulnerability management
capabilities, because:
Treats do not let up. Attacks exploiting security vulnerabilities or nancial gain and criminalagendas continue to dominate headlines. Statistics rom Microso bulletins and the National
Vulnerability Database (NVD) suggest that the time it takes to release new exploits or a known
vulnerability has decreased signicantly in the past ve years. Tis rapid release leaves more and
more systems vulnerable to exploit attacks.
Regulations demand it. Many government and industry regulations, such as PCI andSarbanes-Oxley (SOX), mandate rigorous vulnerability management practices.2 Insight into an
organizations vulnerabilities is key to a proactive understanding o ones inrastructure risks. As
a result, regulatory requirements will continue to drive demand or vulnerability management
technologies.
Mature organizations treat it as a key risk management component. Organizationsthat ollow mature I security principles understand the importance o risk management.
Vulnerability assessment and management is an essential piece or managing overall I risk.
Beyond an established vulnerability management practice, a mature organization should employadvanced analytics and perorm vulnerability trending and remediation tracking to urther
control and manage its inrastructure risks.
Fire 1 iT Secrt Presss are Respse Fr Vert Mgemet
Source: Forrester Research, Inc.56932
Security is fully responsible 400 42%
Count
To what extent is your firms IT security group responsible for threat and vulnerability management?
%
Security is mostly responsible 281 29%
Security is about half responsible 168 18%
Security is slightly responsible 70 7%
Security is not at all responsible 24 3%
Dont know/does not apply 10 1%
Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2009
Base: 953 North American and European IT security decision-makers
8/4/2019 The Forrester Wave Vulnerability Management
4/15
2010, Frrester Reserch, ic. Reprdct Prhted J 15, 2010
The Frrester Wve: Vert Mgemet, Q2 2010
Fr Secrt & Rsk Presss
3
Veraiit Maaemet Prodcts Have Icreasi broad Fctioait
Vulnerability management products started out delivering pure network vulnerability assessment
unctionality. As the market matures, many vendors are looking to adjacent technology areas or
additional growth. Tis has led to a number o market shis, including:
Both vulnerability assessments and endpoint conguration are considered core unctionality.Almost every vulnerability management product today oers unctionality. Some provide
comprehensive mapping rom a wide variety o regulations to specic vulnerability management
and conguration controls.
Application-level scanning capabilities are now a table stake. Application-level scanning,targeting Web applications and databases, is becoming a must-have item in RFPs or
vulnerability management products. While some buyers are happy to procure pure-play
application scanners, many customers look to a single vendor to provide consolidatedvulnerability scanning capability and reports across network/system and applications.
Remediation and security analytics are ast becoming the newest diferentiators. AsI security organizations mature, buyers start to shi rom assessment-only capabilities to
advanced risk-based analytics and remediation management; both are somewhat newer
unctionalities or vulnerability management products.
VulnERAbIlITy MAnAgEMEnT VEnDOR EVAluATIOn OVERVIEW
o assess the state o the vulnerability management market and see how the vendors stack up against
each other, Forrester evaluated the strengths and weaknesses o top vulnerability managementvendors.
We used Three Dimesios To Assess Vedors
Aer examining past research, user need assessments, and vendor and expert interviews, we
developed a comprehensive set o evaluation criteria. We evaluated vendors against 53 criteria,
which we grouped into three high-level buckets:
Current ofering. We analyzed the vendors capability on vulnerability assessment, both at thenetwork/system level and at the application level; conguration compliance assessment; and
any remediation capabilities (or support or remediation). We also looked at eatures such asreporting, perormance, mode o delivery, and support or risk management.
Strategy. Our analysis o each vendors strategy included an assessment o the high-levelcompany strategy, near-term product road map, and the companys plan or a partner ecosystem.
In terms o company strategy, we looked at the vendors vision and its value proposition, how
well it is executing this vision and delivering on the value proposition, and whether the strategy
demonstrates industry thought leadership.
8/4/2019 The Forrester Wave Vulnerability Management
5/15
2010, Frrester Reserch, ic. Reprdct PrhtedJ 15, 2010
The Frrester Wve: Vert Mgemet, Q2 2010
Fr Secrt & Rsk Presss
4
Market presence. We used traditional metrics, such as vendor revenues and customer numbers,to evaluate a vendors market presence. Because this technology is oen delivered via managed
security services, we added criteria to measure each vendors indirect customers rom managed
security services provider (MSSP) partners.
Or Evaatio Emphasized Comprehesive Capaiities
Forrester included eight vendors in the Forrester Wave assessment: Critical Watch, eEye Digital
Security, Lumension, McAee, nCircle, Qualys, Rapid7, and enable Network Security. Each o these
vendors has (see Figure 2):
Both vulnerability and conguration compliance assessment capabilities. odays userorganizations value vulnerability assessment as well as conguration scanning. Tereore, we
consider both o these unctions core to vulnerability management.
Support or remediation. Te product must either possess native remediation capability oroer tight integration with third-party remediation products.
Signicant market presence or notable growth. We ocused on vendors that either have anotable market presence, evidenced by the number o customers or revenues, or ones that are
up-and-coming with strong growth numbers.
We decided to ocus our scope o evaluation on vulnerability assessment and conguration auditing
products. Hence, we did not invite any pure-play Web application scanners, such as IBM and HP, or
any vulnerability intelligence vendors, such as Symantec or 3Com, to participate in this evaluation.
EVAluATED VEnDORS REnDER MATuRE SOluTIOnS
Te evaluation uncovered a market in which many mature solutions exist (see Figure 3):
Qualys leads the pack. Qualys leads on its strategy as well as its execution. Not only didQualys pioneer the SaaS hybrid model or vulnerability assessment, but today it is the largest
vulnerability management vendor in terms o revenues. Its conguration compliance assessment
unctionality, also delivered via Qualys in-the-cloud multitenant architecture, has since
matured and is one o the most advanced in the market.
Rapid7, Lumension, McAee, and nCircle ofer competitive options. Tese our vendorsare a notch down rom Qualys, but each oers strong vulnerability management unctionality
in one aspect or another. Lumension has the strongest strategy/vision due to its portolio o
endpoint remediation products, such as PatchLink. Straddling both assessment and remediation
gives customers a one-stop shop or vulnerability management capabilities. Rapid7 receives
8/4/2019 The Forrester Wave Vulnerability Management
6/15
2010, Frrester Reserch, ic. Reprdct Prhted J 15, 2010
The Frrester Wve: Vert Mgemet, Q2 2010
Fr Secrt & Rsk Presss
5
excellent scores or both its technologies and its risk-oriented strategy. nCircles comprehensive
unctionality portolio or vulnerability assessment and conguration compliance earned it a
nod in the Leaders category. McAee is an established vendor in this space, and its mature risk-
based strategy is a unique dierentiator.
eEye Digital Security, enable Network Security, and Critical Watch trail behind. eEye has asolid vulnerability assessment product, but it is a bit weaker on application-level scanning and
support or conguration compliance. enables product has excellent technical unctionality but
lacks comprehensive enterprise support eatures. Critical Watch is the newcomer to the space.
Its integration with ippingPoint is interesting, but the product doesnt have comprehensive
platorm support, and the companys long-term strategy lacks clear dierentiation.
Tis evaluation o the vulnerability management market is intended to be a starting point only. We
encourage readers to view detailed product evaluation spreadsheets and adapt the criteria weightings
to t their individual needs through the Forrester Wave Excel-based vendor comparison tool.
Fire 2 Evted Prvders: Vedr irmt ad Seect Crter
Source: Forrester Research, Inc.
Vendor
Critical Watch
eEye Digital Security
Lumension Security
McAfee
nCircle
Qualys
Rapid7
Tenable Network Security
Product evaluated
FusionVM
Retina CS
Retina Network Security Scanner
Lumension EndPoint Management and Security Suite
Foundstone McAfee Vulnerability Manager
nCircle Suite360
QualysGuard IT Security and Compliance Suite
NeXpose Enterprise
Tenable Unified Security Monitoring
Product version
evaluated
4.4.26
1.1.0
5.11.1
7.0
6.8
N/A
6.10
4.8.0
N/A
Date
evaluated
Q1 2010
Q1 2010
Q1 2010
Q1 2010
Q1 2010
Q1 2010
Q1 2010
Q1 2010
Q1 2010
Vendor selection criteria
Both vulnerability and configuration compliance assessment capabilities
Support for remediation
Significant market presence of notable growth
8/4/2019 The Forrester Wave Vulnerability Management
7/15
2010, Frrester Reserch, ic. Reprdct PrhtedJ 15, 2010
The Frrester Wve: Vert Mgemet, Q2 2010
Fr Secrt & Rsk Presss
6
Fire 3 Frrester Wve: Vert Mgemet, Q2 10
Source: Forrester Research, Inc.
Go online to download
the Forrester Wave tool
for more detailed product
evaluations, feature
comparisons, and
customizable rankings.
Risky
Bets Contenders Leaders
Strong
Performers
StrategyWeak Strong
Current
offering
Weak
Strong
Market presence
Tenable NetworkSecurity McAfee
eEye Digital Security
Critical Watch
Qualys
Lumension
nCircleRapid7
8/4/2019 The Forrester Wave Vulnerability Management
8/15
2010, Frrester Reserch, ic. Reprdct Prhted J 15, 2010
The Frrester Wve: Vert Mgemet, Q2 2010
Fr Secrt & Rsk Presss
7
Fire 3 Frrester Wve: Vert Mgemet, Q2 10 (Ct.)
VEnDOR PROFIlES
leaders Ofer Matre Sotios
Qualys leads in market share and innovation. Qualys is the clear leader in this evaluation.Qualys pioneered the SaaS hybrid delivery model o vulnerability management: Fully managed
scanner appliances are deployed on-premise, and the security console is hosted, in a multitenant
ashion, in the Qualys cloud to drive scans, conduct analysis, and produce reports. Once
viewed as radical, this service model now counts some o the largest organizations in the world
as customers. oday, the QualysGuard cloud delivers vulnerability assessment, application-level scanning, and conguration compliance auditing, all rom a centralized multitenant
architecture. Tis architecture helps to deliver scalability and consolidated reporting. Qualys is
also one o the ew vendors in this evaluation that has a ull-eatured conguration compliance
module that provides concrete mappings rom a wide list o regulations to actual I controls.
Qualys has an extensive ecosystem o partners and is rounding out its service oerings by
Source: Forrester Research, Inc.
CURRENT OFFERING
Vulnerability assessment on the network/system level
Application-level vulnerability management
Compliance
Take to market
Remediation and integration with related functionality
Administration and reportingPerformance and operations
Customer reference feedback
STRATEGY
Product strategy
Partner strategy
MARKET PRESENCE
Customer base
Revenues
Forresters
Weighting
50%
25%
15%
25%
5%
8%
8%8%
6%
50%
70%
30%
0%
50%
50%
CriticalWatch
2.99
3.73
1.90
2.10
4.10
2.35
4.003.45
4.33
2.59
2.70
2.34
2.45
2.70
2.20
eEyeDigitalSecu
rity
3.31
3.40
2.90
3.30
3.00
2.95
3.603.85
3.66
3.34
3.20
3.66
3.45
4.50
2.40
McAfee
3.73
3.99
1.60
4.70
3.00
3.95
4.303.35
3.99
3.52
3.75
2.97
3.45
3.50
3.40
LumensionSecurity
3.47
3.19
2.10
4.00
1.90
4.60
4.404.05
3.67
4.03
3.75
4.67
2.80
3.00
2.60
nCircle
3.98
4.19
3.80
4.10
3.00
4.15
4.203.50
4.00
3.34
3.20
3.66
3.25
3.50
3.00
Qualys
3.92
3.74
3.80
4.40
3.90
3.40
3.104.05
4.67
4.24
4.20
4.32
3.93
3.65
4.20
Rapid7
3.87
3.85
5.00
3.10
4.10
3.60
3.804.10
4.33
3.76
3.95
3.33
3.45
3.70
3.20
TenableNetwork
Security
3.83
4.50
3.90
4.20
1.10
1.40
3.704.35
4.34
2.23
3.05
0.33
3.53
3.25
3.80
All scores are based on a scale of 0 (weak) to 5 (strong).
8/4/2019 The Forrester Wave Vulnerability Management
9/15
2010, Frrester Reserch, ic. Reprdct PrhtedJ 15, 2010
The Frrester Wve: Vert Mgemet, Q2 2010
Fr Secrt & Rsk Presss
8
adding a variety o new services, including malware scanning and the Qualys Go Secure
trust seal. Te company surpassed the $50 million mark in 2009, making it the largest market
shareholder in the vulnerability management sector. As one I security director we interviewed
said, While other products can be too expensive or too niche, it is hard to go wrong withQualys. Who should buy Qualys? All but the most conservative organizations.
Rapid7 exhibits strong growth and clarity o vision. Rapid7 is the up-and-coming vendor inthis evaluation. Te company experienced a dramatic surge in business in the past two years,
rendering an impressive 50%-plus year-over-year growth. Rapid7 receives solid scores or its
undamental technology, which is built on top o an expert system that helps to deliver analysis
accuracy. Rapid7 also leads on its strong application scanning capability its the only vendor
in this evaluation whose scanning capabilities can handle Ajax and Web 2.0 technologies.
Rapid7 delivers its unctionality via a consolidated scanning and analysis architecture, which
promises deployment eciency and simplicity. Te acquisition o Metasploit also helps to
strengthen Rapid7s risk analytics and adds a penetration testing tool to its portolio. Te
company has an ambitious vision delivering unied vulnerability management across
network, applications, and databases, with meaningul risk analytics. o execute this vision,
Rapid7 needs to expand its policy compliance capability and strengthen its support or
remediation. oday, Rapid7 is still a small company with revenues south o $20 million. But the
company recently signed OEM deals with two o the largest security and service vendors in the
industry. Tese partnerships will undoubtedly provide a urther boost to the companys position
in the market. Who should buy Rapid7? Organizations that seek a consolidated solution or
network, system, and application-level vulnerability management.
nCircle has a comprehensive vulnerability auditing portolio. nCircles vision is clear and welldened to be the leader in vulnerability and conguration compliance auditing. o this end,
the company has amassed one o the broadest capability portolios in vulnerability auditing. In
particular, nCircles conguration compliance product is among the most sophisticated on the
market today, and its topology analyzer is unique among vulnerability management vendors.
Customers also reported positive reviews or its core vulnerability scanning product, IP360.
For these reasons, nCircle received one o the highest current oering scores. However, some
o nCircles unctionality came via acquisitions, and as a result, its vulnerability assessment
product, IP360, its conguration compliance product, CCM, and its analytics product, the
Suite360 Intelligence Hub, all have disparate code bases and there exists only sparse integration
among the three. IP360 and CCM manage separate scanners, consoles, and databases.
Te Intelligence Hub, which pulls data rom both IP360 and CCM, provides yet another
management console and another database. Customers we interviewed reported a certain level
o deployment complexity and challenges with nCircles suite o products. Customers have
also reported occasional accuracy problems with the companys Web application scanner. o
eclipse its competition, nCircle needs to eliminate the architectural redundancy between its
various modules, strengthen its application scanning capabilities, and urther develop its value
proposition or the Suite360 Intelligence Hub. Who should buy nCircle? Enterprises that have
advanced compliance and risk analytics needs.
8/4/2019 The Forrester Wave Vulnerability Management
10/15
2010, Frrester Reserch, ic. Reprdct Prhted J 15, 2010
The Frrester Wve: Vert Mgemet, Q2 2010
Fr Secrt & Rsk Presss
9
McAee delivers strong risk management capabilities. McAee/Foundstone is an establishedvulnerability management vendor. Foundstone championed many early-day innovations in this
space. Te McAee Vulnerability Management (MVM) product today boasts one o the most
UI-conscious interace designs and solid support or translating vulnerability knowledge into
meaningul risk metrics. In addition, MVMs integration with McAee ePolicy Orchestrator
is a nice eature and proves valuable to many ePO users. However, the product itsel needs a
bit o a tune-up: Customers we interviewed mentioned occasional accuracy problems with
their scanners. Te companys scan-based reporting is cumbersome to use. At the close o this
evaluation March 31, 2010 McAee had little in the way o application scanning capability.
However, McAee has alluded to the imminent release o new unctionality to cover this void;
prospective customers should investigate whether McAees new application scanner will suit
their needs. Who should buy McAee? Organizations with a mature risk management strategy
and those that drive I eciency with ePO. Existing MVM customers who have a need to
manage application-level vulnerabilities should also track McAees upcoming product releases.
Lumension has a unique product portolio to deliver an end-to-end vision. Lumension isthe only vendor in this evaluation that has its own endpoint patch management unctionality,
Lumension Patch and Remediation (ormerly Patchlink), and its own GRC product, Lumension
Risk Management. Unlike the other vendors that may have a ocus on assessment, Lumensions
value proposition is much broader instead o dealing with separate consoles rom assessment,
remediation, and compliance, Lumension aims to deliver a consolidated platorm to manage
the lie cycle o vulnerabilities rom discovery to remediation to analytics. While this vision
is unique, Lumensions vulnerability scanning product is clearly designed or technologists,
with very ew extra bells and whistles to boot. When used as a standalone product, its not
quite at par with its competition. Lumensions conguration compliance product, however,has much more sophisticated analytics and reporting capabilities. Compared with the other
products, Lumensions strategies have a decidedly endpoint ocus. Because o the expanse
o its product portolio, Lumension has a great deal o potential to challenge the top players
in the vulnerability management market. Presently, however, the company should work on
streamlining its various products to drive toward a consolidated platorm as well as continue to
invest in the research and development o its vulnerability assessment product. Who should buy
Lumension? Organizations with a ocus on consolidated assessment and remediation strategy.
Stro Perormers Provide Rost Techica Ateratives
enable Network Security has a strong technology ofering. enable is the producer o the onceopen-source Nessus vulnerability scanner. enables portolio, including the Passive VulnerabilityScanner (PVS) and the Log Correlation Engine (LCE), renders strong vulnerability assessment
capabilities. Many technologists we interviewed like what enable has to oer. What enable
lacks are enterprise support eatures, such as executive reporting, advanced risk analytics, and
integration with related products. Who should buy enable? echnology-minded buyers.
8/4/2019 The Forrester Wave Vulnerability Management
11/15
2010, Frrester Reserch, ic. Reprdct PrhtedJ 15, 2010
The Frrester Wve: Vert Mgemet, Q2 2010
Fr Secrt & Rsk Presss
10
eEye Digital Security is evolving its product portolio. With a new management team in place,eEye is overhauling its products. eEyes vulnerability assessment product, Retina, has many
desirable eatures, such as wireless scanning, diverse scan templates, and an extremely fexible
reporting portal. Te product is also attractively priced. eEye has a separate government-acing
product, appropriately named Retina.GOV, which has specic SCAP-related unctionality.3
eEyes endpoint agent executes protection actions, such as application whitelisting, device
control, and local scanning. eEyes high-level vision is similar to that o Lumensions take the
ull lie-cycle approach to vulnerability management. Te value proposition o eEyes endpoint
capabilities, however, is not as clearly dened. eEye needs to leverage on its strength the
vulnerability assessment product and work on a ew enhancements, including increasing
the fexibility o the product, strengthening application-level scanning, and enhancing policy
compliance. Who should buy eEye? Government clients, value-conscious organizations, and
technology-minded buyers.
Critical Watch ofers interesting new capabilities. Critical Watchs FusionVM product has anumber o distinct and innovative eatures, including the CEM structure that provides a fexible
yet powerul organizational ramework or managing scans, reports, and analysis. A key part
o Critical Watchs positioning centers on its integration with ippingPoints rewall product,
which allows FusionVM a deeper insight into mitigation controls. Critical Watch has a relatively
small market share, but the company has garnered a respectable customer base and has shown
steady growth or the past two years. In terms o technology, what Critical Watch needs to
work on is its breadth o platorm support, application scanning capabilities, and support or
endpoint remediation. In terms o company strategies, Critical Watch needs to expand the
reach o its partner network and strive or a clearer value dierentiation against its competitors.
Who should buy Critical Watch? Organizations that have diverse reporting needs and value-conscious large enterprises.
Other notae Vedors Rod Ot The Veraiit Maaemet Space
Beore narrowing our evaluation to eight vendors, we studied a broader set o vendors including
vendors that t squarely in the vulnerability management space and those that oer closely
related unctionality. For this evaluation, we chose to ocus on vendors with a broad vulnerability
management technology solution and those with a sizable market presence. A vendors absence
rom this evaluation doesnt constitute any judgment as to the vendors capabilities or viability.
Generally speaking, other products worth noting all into these loosely dened categories:
Vulnerability assessment. Other vendors in this space include Digital Deense, PerimeterE-Security, RandomStorm, Secunia, rustwave, and IBM. Tese vendors either ail to meet the
inclusion criteria or were omitted in avor o a vendor with a more signicant market presence.
IBM, in particular, is both a vulnerability management technology vendor and a signicant
8/4/2019 The Forrester Wave Vulnerability Management
12/15
2010, Frrester Reserch, ic. Reprdct Prhted J 15, 2010
The Frrester Wve: Vert Mgemet, Q2 2010
Fr Secrt & Rsk Presss
11
managed security service provider. IBM/ISS is traditionally an innovator in this space. However,
at the time o evaluation, IBM was in the process o rereshing and upgrading its vulnerability
management portolio and will launch a new oering in Q3 2010. Because o the timing, it
became dicult to include IBM or this evaluation. For that reason alone, IBM is not one o thevendors included in this Forrester Wave.
Vulnerability intelligence. Vulnerability assessment technologies must update their knowledgeo vulnerabilities to stay current, as new vulnerabilities surace constantly. Companies that
provide vulnerability intelligence services include Symantec, Secunia, VeriSign, and 3Com.
Tese vendors were not included in the evaluation because vulnerability intelligence, albeit
important, is not the ocus o this study.
Penetration testing and emulation. Penetration testing or emulation products utilize theknowledge o existing vulnerabilities and demonstrate actual or virtual exploitation. With
penetration testing or emulation, one can much more accurately assess the severity o certain
vulnerabilities. Core Security echnologies and Metasploit (now a Rapid7 company) both provide
automated penetration testing technologies. Core Security and Metasploit can leverage the output
o a vulnerability scanner to cra a specic penetration test, and in turn, they may discover new
vulnerabilities that are otherwise hidden rom regular scanners. RedSeal Systems and Skybox
Security, on the other hand, oer penetration emulation without actual tests on the system.
Remediation. Endpoint patch management and conguration management products sit in thiscategory. Remediation technologies must work hand-in-hand with assessment technologies
to aect mitigation changes. Example products in this category include BigFix, IBM/ivoli,
McAee, LANDesk Soware, Shavlik echnologies, Symantec, and rend Micro.
Web application scanners. We made a conscious decision not to include pure-play Webapplication scanners because the technologies are very dierent. Vendors that have oerings
in this space include Accunetix, Cenzic, HP (WebInspect), IBM (AppScan), and WhiteHat
Security.
Managed security service providers. We did not include any MSSPs in this evaluation, butMSSPs play an important role in this space and their involvement will be increasingly critical
as more and more organizations procure vulnerability management unctionality rom MSSPs.
Many MSSPs resell vulnerability management technologies and provide additional value-added
services. Notable ones include IBM, Verizon Business, and SecureWorks.
8/4/2019 The Forrester Wave Vulnerability Management
13/15
2010, Frrester Reserch, ic. Reprdct PrhtedJ 15, 2010
The Frrester Wve: Vert Mgemet, Q2 2010
Fr Secrt & Rsk Presss
12
SuPPlEMEnTAl MATERIAl
Oie Resorce
Te online version o Figure 3 is an Excel-based vendor comparison tool that provides detailedproduct evaluations and customizable rankings.
Data Sorces used I This Forrester Wave
Forrester used a combination o three data sources to assess the strengths and weaknesses o each
solution:
Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluationcriteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where
necessary to gather details o vendor qualications.
Product demos. We asked vendors to conduct demonstrations o their products unctionality.We used ndings rom these product demos to validate details o each vendors product
capabilities.
Customer reerence calls. o validate product and vendor qualications, Forrester alsoconducted reerence calls with each vendors customer reerences as well as other customers that
we reached out to or reerence inormation.
The Forrester Wave Methodoo
We conduct primary research to develop a list o vendors that meet our criteria to be evaluated
in this market. From that initial pool o vendors, we then narrow our nal list. We choose thesevendors based on: 1) product t; 2) customer success; and 3) Forrester client demand. We eliminate
vendors that have limited customer reerences and products that dont t the scope o our evaluation.
Aer examining past research, user need assessments, and vendor and expert interviews, we develop
the initial evaluation criteria. o evaluate the vendors and their products against our set o criteria,
we gather details o product qualications through a combination o lab evaluations, questionnaires,
demos, and/or discussions with client reerences. We send evaluations to the vendors or their
review, and we adjust the evaluations to provide the most accurate view o vendor oerings and
strategies.
We set deault weightings to refect our analysis o the needs o large user companies and/or
other scenarios as outlined in the Forrester Wave document and then score the vendors based
on a clearly dened scale. Tese deault weightings are intended only as a starting point, and we
encourage readers to adapt the weightings to t their individual needs through the Excel-based
tool. Te nal scores generate the graphical depiction o the market based on current oering,
strategy, and market presence. Forrester intends to update vendor evaluations regularly as product
capabilities and vendor strategies evolve.
8/4/2019 The Forrester Wave Vulnerability Management
14/15
2010, Frrester Reserch, ic. Reprdct Prhted J 15, 2010
The Frrester Wve: Vert Mgemet, Q2 2010
Fr Secrt & Rsk Presss
13
EnDnOTES
1 Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2009.
2
PCI DSS has specic provisions or organizations to maintain an active vulnerability management program.Source: PCI Security Standards Council (https://www.pcisecuritystandards.org/).
3 SCAP reers to the Security Content Automation Protocol. SCAP is a suite o specications that standardize
the ormat and nomenclature by which security soware products communicate soware faw and security
conguration inormation. SCAP is a multipurpose protocol that supports automated vulnerability
and patch checking, technical control compliance activities, and security measurements. Goals or the
development o SCAP include standardizing system security management, promoting interoperability
o security products, and ostering the use o standard expressions o security content. Te technical
specication o SCAP is spearheaded by NIS. Source: Stephen Quinn, David Waltermire, Christopher
Johnson, Karen Scarone, and John Banghart, Te echnical Specication or the Security Content
Automation Protocol (SCAP): SCAP Version 1.0, National Institute o Standards and echnology (http://csrc.nist.gov/publications/nistpubs/800-126/sp800-126.pd).
8/4/2019 The Forrester Wave Vulnerability Management
15/15
Forrester Research, Inc. (Nasdaq: FORR)
is an independent research company
that provides pragmatic and orward-
thinking advice to global leaders in
business and technology. Forrester
works with proessionals in 20 key roles
at major companies providing
proprietary research, customer insight,
consulting, events, and peer-to-peerexecutive programs. For more than 26
years, Forrester has been making IT,
marketing, and technology industry
leaders successul every day. For more
inormation, visit www.orrester.com.
Headquarters
Forrester Research, Inc.
400 Technology Square
Cambridge, MA 02139 USA
Tel: +1 617.613.6000
Fax: +1 617.613.5000
Email: [email protected]
Nasdaq symbol: FORR
www.orrester.com
M k g l e d e r s S c c e s s E v e r D
For inormation on hard-copy or electronic reprints, please contact Client Support
at +1 866.367.7378, +1 617.613.5730, or [email protected].
We oer quantity discounts and special pricing or academic and nonprot institutions.
For a complete list of worldwide locations
visit www.forrester.com/about.
Research and Sales Ofces
Forrester has research centers and sales ofces in more than 27 cities
internationally, including Amsterdam; Cambridge, Mass.; Dallas; Dubai;
Foster City, Cali.; Frankurt; London; Madrid; Sydney; Tel Aviv; and Toronto.
mailto:[email protected]:[email protected]://www.forrester.com/Top Related