Vulnerability Management Buyer's Checklist - Key Questions to Ask Before You Select a VM Solution

VM BUYER'S CHECKLIST

Vulnerability Management Buyer's Checklist
Key Questions to Ask Before You Select a VM Solution
Vulnerability Management (VM) means systematically finding and eliminating network vulnerabilities. Choosing a solution for VM is a critical step toward protecting your organization's network and data. Without proven, automated technology for precise detection and remediation, no network can withstand the daily onslaught of new vulnerabilities that threaten security. To help finalize your decision on which solution to buy, Qualys provides this 12-point short list of considerations that will help you determine what will work best for your organization.

12 Key Decision Points Architecture
Architecture ............ ....1 How is the VM solution delivered?
Security ................... ....2 Is there software or hardware that you need to install and maintain, or is software Scalability / delivered as a service (SaaS) and simply requires logging in to your account via a web Ease of Use ........... ....3 browser to start scanning? A system that requires you to manage installation, updates, hardware, database security, etc. ends up costing more than just the purchase price of Accuracy / the software, and may require additional manpower for ongoing operations. Performance.......... ....4 Discovery / Mapping....5 Does the solution offer a graphical user interface?
Scanning ................. ....6 Some offerings - particularly older, low-end or "no-cost" solutions - only have command Reporting................. ....7 line interfaces that can be tough to operate and have limited customization features (or access controls). Understand how the solution is delivered and test it before you buy it. Remediation............ ....9 Policy Compliance.. ....10 Do I have to run an agent on all my networked devices?
Management............ ....11 Software-based VM products may require you to install and update agents on every system to be scanned. Look for architecture that does not require an agent, or any other Cost .... .................... ....12 software to operate other than a standard, SSL-enabled web browser for accessing the Solution Vendor...... ....14 interface.
Does the product require me to run a database?
Software-based VM products may require you to install and operate a database to house info for vulnerability management. The SaaS architecture does not carry that requirement.
Why should I consider using SaaS for VM?
For an application like VM, a SaaS solution makes more sense than software for most companies. It is easier to deploy and manage, is more flexible in supporting evolving business needs, has lower and more predictable costs, is scalable, does not lock you into a long-term license, is easier to use, and is more reliable.
Copyright © 2009, Qualys, Inc. All Rights Reserved. VM Buyer's Checklist - 2
Security
What is the security model used to protect the solution?
It's crucial that the VM solution itself be secure, especially since it houses critical data about the network's assets and potential vulnerabilities. With software-based solutions, you are responsible - and it can be a complex task to secure such systems and information. With a hosted, SaaS solution, the security is handled by the SaaS provider. Make sure the SaaS solution provides end-to-end security for sensitive vulnerability data and uses multiple standard proactive controls to protect all layers of the application.
How is the solution physically protected?
Make sure you understand this from your vendor. Again, traditional software-based solutions require you to do all of this work. By contrast, SaaS-based solutions handle this for you. For example, the QualysGuard service is run in Secure Operations Centers that successfully pass annual SAS70 Type II certifications. QualysGuard machines and racks are locked in a private vault requiring badge and biometric authentication for access. Physical access is restricted to designated Qualys employees, who undergo third-party reference and background checks, and sign a confidentiality agreement. It is secured behind a host-based firewall and a policy-driven file system and integrity checking system, plus an IDS architecture. Staff continuously monitor all systems and administer proper remediation and count... [download for more]