Seven criteria for buying vulnerability management tools

Expert contributor Ed Tittel describes purchasing criteria for full-featured vulnerability management tools for small organizations to large enterprises.

Vulnerability management tools use scanners to discover and identify network-attached computers, firewalls and other devices -- as well as operating systems and applications -- and assess those entities for vulnerabilities. An initial scan establishes a baseline for an entire infrastructure, in small-scale environments, or for target areas, such as network segments in large-scale environments, and reveals vulnerabilities that must be fixed or patched, or simply tracked, depending on the level of risk they present. Subsequent scans expose new vulnerabilities and may be compared to the baseline to identify previously known low-risk vulnerabilities that have increased in priority.

Vendors offer vulnerability management tools as software-only, a physical or virtual appliance with management software, a cloud-hosted service or some combination of those options. For example, some cloud services may include appliances that are located on different parts of a network in large environments to run internal scans. The type of vulnerability management system organizations ultimately select will depend on many different factors, in addition to its physical or virtual footprint on-site.

Here is an overview of features and value-adds to consider when evaluating vulnerability management products.

Key features

Most vulnerability management tools share a common set of features, such as asset detection and identification, vulnerability detection, descriptions of vulnerabilities, links to information about patches, scripts and other remediation techniques, report generation from templates or custom settings, a central console -- usually Web-based -- and support for a range of operating systems. However, market-leading vulnerability management products perform many of these tasks more thoroughly and comprehensively, including some facilities for automating remediation, and provide easy-to-use dashboards and reports that streamline management for security administrators.

When evaluating vulnerability management tool vendors and their products, determine whether each tool can:

  • Perform automated scans and alerting;
  • Centrally manage scanners and agents;
  • Clearly identify vulnerability severity levels in dashboard displays and reports;
  • Track vulnerabilities over time, such as those deemed low- or moderate-risk;
  • Scan the network perimeter and internal network -- some Web-based scanners provide external perimeter scanning only;
  • Generate custom reports, including those that meet auditing or compliance requirements;
  • Use authentication -- administrative credentials -- for deeper scanning to gather information such as security configurations for systems and applications that is otherwise inaccessible with a standard scan; and
  • Automatically modify security controls to strengthen them, if needed.

A relatively easy way to test-drive a vulnerability management tool and compare it to others is to sign up for a demo that runs in an environment. All top-rated vendors offer demos of their products, which should be a part of the evaluation process.

Vulnerability signature updates

New vulnerabilities to IT systems and networks are discovered every day. Much like antivirus software, a vulnerability scanner must have current information on vulnerabilities to be effective. Some vendors rely on their own internal security teams and threat intelligence databases to continuously update vulnerability information for customers. Other vendors use only third parties, such as the MITRE Common Vulnerabilities and Exposures database, the Open Source Vulnerability Database and Common Vulnerability Scoring System scores, for vulnerability information, and push new signatures to customers immediately or on a scheduled basis.

When assessing vendors, find out how often vulnerability signatures are updated, the sources from which signatures are derived, and whether newer technologies like cloud infrastructures and mobile are included.

Ease of use

A vulnerability management tool must be easy to deploy and use, reliable, nonintrusive and safe -- that is, it poses few conflicts for an existing IT environment.

A product that is cumbersome to navigate or presents confusing dashboard information won't be used, at least not to its fullest potential. A vulnerability management tool that requires a lot of maintenance also becomes a problem for staff that's often already overburdened. And any product that causes even a moderate performance hit on network resources may quickly be abandoned or underused.

When evaluating vulnerability management tools, address these questions:

  • How much time is required to get the system up and running?
  • Are scanning policies preconfigured? What is required to customize policies?
  • Does the system require patches and backups? How often? (This is most often a concern regarding on-premises solutions; cloud solutions eliminate most of this work.)
  • Does the tool use agents or is it agentless? Some vulnerability management products provide agents for agent-based scanning but also run in agentless mode. Agents require more management effort but can also provide more comprehensive scanning and reporting.
  • Does the tool run nonintrusively?
  • Will network users experience diminished performance while a scan is underway?

Be aware that various vulnerability management products using default settings can produce different results in the same environment. The best way to evaluate these points is to thoroughly test these tools in the organization and pare down the choices when certain solutions fail to perform as well as required.

Support for cloud and mobile

Many organizations today, small and large, are delving into cloud solutions to supplement on-premises IT infrastructures due to ease of administration and predictable costs. Does the organization need a vulnerability management tool that scans cloud services, such as software as a service or infrastructure as a service? Not every vendor provides this functionality, so be sure to find out if the short list of vendors covers cloud environments.

Mobile also affects nearly every organization nowadays, considering the explosion of BYOD, wearables and Internet of Things. Because mobile devices often connect to business networks and are under attack much like servers and workstations, it's important that they are scanned and assessed for vulnerabilities as well. Some vendors integrate mobile device management systems or deploy endpoint agents that enable organizations to identify devices as assets and manage vulnerabilities through the vulnerability management solution.

Enterprise features

Because of the sheer size of enterprise infrastructures, which are often distributed among several locations, an enterprise customer has unique needs as compared to its small to midsize (SMB) cousins.

Enterprise IT evaluators should have vendors address the following questions when looking at vulnerability management tools:

  • Is the product highly scalable? In what way specifically?
  • Does it assess workflows?
  • Does the tool easily integrate with other security systems, such as security information and event management and intrusion detection systems? Some vendors provide application programming interfaces that enable these other systems to gather data from a vulnerability management system.
  • Does the tool provide automated trouble-ticketing and status?
  • Does it provide impact analysis and risk analysis?

Enterprises should also run a variety of reports when testing tools for vulnerability management to ensure they can provide relevant information to different staff members, such as senior execs and operations staff.

Pricing and licensing

Software-only vulnerability management tools and appliances -- physical or virtual -- require an upfront investment, and then an annual renewal or licensing fee that includes vulnerability updates and software upgrades. In some cases, it's possible to license an appliance as well.

Software-only products with flat rates start around $1,500 for the initial purchase, with an annual renewal fee of $1,200. Some vendors tier software pricing based on the number of hosts. For example, Tenable Nessus Manager starts at just under $3,000 for 128 hosts or $4,750 for 256 hosts. Preconfigured appliances vary in their upfront costs, starting at under $10,000 and climbing to over $20,000.

A cloud-hosted service is typically sold as an annual subscription that includes unlimited scanning. Cloud pricing is based on the number of users, IP addresses --either active only or total scanned -- and/or agents deployed on network segments or endpoints.


Part of the initial product evaluations should include a hard review of each vendor's support options. Look for vendors that offer 24/7 support, preferably by phone, and find out if customers can expect an immediate response or if escalated service incurs an additional fee.

Another important aspect is training. More advanced vulnerability management systems require training to get up to speed quickly, and training costs can account for a significant portion of start-up costs. Enterprises should find out if the vendors on their list include training as part of the product or service purchase and the costs involved, if applicable.

Although vulnerability management requirements of SMBs may differ somewhat from large enterprises, all organizations can benefit from a solid product of this type. Businesses should research which vendors offer the features their organization needs and how much they can expect to pay for that particular coverage.

Next Steps

In part one of this series, learn about the basics of vulnerability management tools

In part two of this series, read about the business case for vulnerability management

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing