SWOT analysis of vulnerability management vendors

Best Enterprise Vulnerability Management Product: Rapid 7 NeXpose

After reviewing the top players in my select list, it is my opinion that the vendor who is the most feature rich, low cost and safest deployment option currently available is the Rapid 7 appliance. Qualys is my second choice based on the same criteria and mostly due to my favoring onsite deployment. Finally with McAfee and they come in last for me mostly due to their lack of web and database scanning.
I just jotted down SWOT thoughts on the following vendors so if there are any corrections please send me them via my blog’s contact form.

Vendors I Selected for the SWOT

  • Rapid 7
  • Qualys
  • McAfee, Inc.

Rapid 7 – NeXpose

– Highly focused on just vulnerability management
– Quick deployment
– Fast customer adoption (high growth)
– Recent infusion of growth capital (VC funding)
– Enterprise ticketing integration
– Web application scanning
– Database scanning
– VMware capability
– Onsite deployment
– Low cost (depreciable)

– Small company
– Limited policy compliance functionality (ITGRC)
– Operations cost (management, power, rack space etc)
– Small research team
– Small support team

– Take greater market share as larger vendors lag
– Expansion to policy management (ITGRC)
– Expand distribution channel
– Integration with 3rd party blocking technology (web app firewalls)
– Integrate web app scanning ticketing to development bug tracking systems

– Company aquisition
– Alternative technologies are developed
– Large players address weaknesses

Qualys – QualysGuard Enterprise

– SaaS and cloud adoption increasing
– Web application security
– Database security
– Quick deployment
– Enterprise ticket integration
– Highly focused on vulnerability management

– SaaS only (high cost for onsite deployment option)
– High ongoing fees (non depreciable)
– Lower ROI due to continuous yearly subscription model
– Limited database scanning support

– Commitment to on site deployment option
– Reduce yearly subscription renewals to address ROI argument
– Move more towards SaaS based ITGRC platform
– Integrate web app scanning ticketing to development bug tracking systems

– ITGRC vendors expand to Vulnerability management space
– Smaller (more nimble companies) develop better functionality
– Larger players lower pricing further
– Larger players match SaaS offering

McAfee – McAfee Vulnerability Manager

– Large market share
– Countermeasure awareness
– Vmware option available
– Foundstone research heritage
– Instant new threat assessment reporting
– Onsite deployment option

– Limited web application scanning
– Limited database scanning
– Countermeasure awareness limitations (competitor products?)
– Console strategy unknown (epo?)
– Some functionality requires separate console

– SaaS expansion to include ticketing and policy compliance (ITGRC)
– Consolidate existing SaaS offerings under one single website console.
– Consolidate separately managed products into EPO (i.e. Vuln manager, Risk and compliance manager and remediation manager)

– Poor execution of consolidated console strategy
– Possibility of Acquisition
– Reduced revenue due to commoditization

Note:  The results of this analysis are not quantitative in nature and are only opinions of the author and no other associations, organizations or persons.


Edgeos managed security whitelabel service

Apparently Nessus has really hit the mainstream with this company (Edgeos) offering “managed” security to other security vendors that wish to provide managed scanning services. Interesting, but again kinda scary to host your vulnerability data off-site like that. Apparently hosting your vulnerability data is really catching on as lots of major companies seem to be doing it. Cloud based scanning services were also just released by Rapid7, a strong new vulnerability vendor that has been doing quite well to compete against Qualys and McAfeeSecure (aka Hackersafe).


Top 5 requirements for vulnerability management products

1. Web application security scanning
2. Enterprise (closed loop) helpdesk ticket integration
3. Breadth and coverage of vulnerabilities (active research).
4. Low cost & low maintenance
5. Single enterprise vulnerability management console


Trust and how it affects all of us

Have you ever wondered what affect trust has on our society? Recently I have been thinking about how in modern America we have transitioned from a very wholesome trusting society to one which is suspicious of everyone.


THEN: Speaking to an unknown party and saying hello was a common and accepted practice and welcomed.

NOW: saying hello to someone results in fear, many will ignore you or think you are insane or that you want something from them.

Isn’t it a sad state of affairs that we live this way? My advice, say “hello” sometime, it may be that one person you meet that opens possibilities you could have never imagined. Be a little paranoid but the real truth is most are not out to get you.



IBM Proventia gets egg on face…

It appears that once again a big behoemouth is sometimes difficult to work with in the latest vulnerabilities found in the IBM proventia product suite by Thierry Zoller, at times it even seems downright argumentative and the funny thing is that Thierry was just trying to help disclose the appropriate information to them so they could fix the problem.

Check the whittled down transcript provided by Theirry via SecurityFocus.com