Tripwire has been in the business of providing vulnerability management solutions with IP360 for about 20 years. With over 20,000 vulnerabilities discovered last year alone, vulnerability management continues to be an important part of most security plans. And most organizations agree.

In a recent survey, 89 percent of respondents said that their organizations runs vulnerability scans. About 60 percent said they run those scans daily or weekly, while 40 percent said they scan monthly, quarterly or less often. What was interesting was that only half of the respondents said they were doing authenticated scans.

Regardless if done using a remote scan or an agent, an authenticated scan gives you substantially more visibility than port or non-credentialed scans. This means that roughly half of organizations are not harnessing the power that a fully mature VM program can give them. Without visibility into what’s in their environment, organizations leave themselves open to substantially more risk.

In order to better understand why, we developed a Vulnerability Management Maturity Model to help us understand where organizations are with their vulnerability management programs and where they want to be. Then maybe we can find ways to help organizations get to where they want to be.

What is the Vulnerability Management Maturity Model?

The first maturity level is called “Undeveloped.” An organization at this level is either not doing any vulnerability scanning or is doing ad-hoc testing, usually some kind of penetration testing done by a third-party vendor where a report of vulnerabilities are found. Any critical vulnerabilities are probably remediated. Based on our survey, around 11 percent of organizations are at this level.

The second maturity level is called “Checkbox.” Vulnerability scanning is brought in-house and done on some kind of regular cadence.  At this level, the driver behind the (Read more...)