What to Look for in a Cloud Vulnerability Management Solution

CVE Coverage

When you invest in a vulnerability management solution, you expect it to find known vulnerabilities and be updated when new ones are discovered. When comparing how well solutions will be able to detect known vulnerabilities, a good comparison metric is amount of CVE coverage. Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. Asking vulnerability management providers about the extensiveness of their CVE coverage is a good way for you to make an apples-to-apples comparison on how many vulnerabilities their products currently cover.

CVE is free to use and publicly available to anyone interested in correlating data between different vulnerability or security tools, repositories and services. More information is available at https://cve.mitre.org/.

Updates

How providers update their solutions is an important area to explore. One of the benefits of cloud applications is that they can be automatically updated. It’s important to hear from your cloud vulnerability management provider about how this process happens and how you’ll get notified about updates. You might drill into this topic from two perspectives: