When you invest in a vulnerability management solution, you expect it to find known vulnerabilities and be updated when new ones are discovered. When comparing how well solutions will be able to detect known vulnerabilities, a good comparison metric is amount of CVE coverage. Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. Asking vulnerability management providers about the extensiveness of their CVE coverage is a good way for you to make an apples-to-apples comparison on how many vulnerabilities their products currently cover.
CVE is free to use and publicly available to anyone interested in correlating data between different vulnerability or security tools, repositories and services. More information is available at https://cve.mitre.org/.
How providers update their solutions is an important area to explore. One of the benefits of cloud applications is that they can be automatically updated. It’s important to hear from your cloud vulnerability management provider about how this process happens and how you’ll get notified about updates. You might drill into this topic from two perspectives:
Rapid response: When a vulnerability is identified, how does the organization add that vulnerability to their solution? How quickly does this typically happen? Look on their website for blog articles and/or web pages dedicated to recently publicized vulnerabilities.
Business-as-usual: For normal day-to-day updates and operations, how often does the vendor update the product with new features, how quickly are new IT assets supported and how long are old IT assets supported?