RBVM: Build or Buy?

With analysts from research firms stressing the importance of a risk-based approach to vulnerability management, the RBVM software market has grown significantly. The decision to build an in-house solution vs. buying a commercial product is complex. To help with this effort, here are the most relevant factors to consider.


Handling Prioritization

The different methods companies use to handle the prioritization of vulnerabilities exist on a spectrum. On one end, there are companies that don’t have the time, expertise, or inclination to go further than relying on the results of a vulnerability scanning tool. The scanner may provide a list of vulnerabilities prioritized by severity and prevalence, however offer insufficient opportunities to  add outside information that could add clarity around the relative business importance of the assets.

On the other end of the spectrum are the companies that create their own internal tools or databases to account for more multifaceted information about assets than what their vulnerability scanners usually accommodate. Some of these organizations may also incorporate results from multiple scanners, as well as data from endpoint security solutions and firewalls.

RBVM Buy or Build


Most companies take a hybrid approach that falls somewhere between these two positions. Regardless of where businesses fall on this spectrum, they will naturally have to make compromises. These adjustments illustrate where companies are resource-constrained, and what risks they’re willing to accept.


Choose Your Strategy

Businesses that rely more heavily on the results of basic scans may save time in creating their “to-do” list of vulnerabilities to be fixed, but they do so by shifting that burden onto Lists that prioritize based on limited information may not take into account important information about an organization’s specific environment.

It’s not unexpected that the people tasked with repairing the problems may not have enough time to address everything on the list. Without a full picture of which vulnerabilities are most important to their specific environment, they may not make the best use of their limited time. As a result, the organization’s security debt may grow in unpredictable, sometimes catastrophic ways.

Businesses who create proprietary tools spend a significant amount of time providing context to prioritize their “to-do” list. This doesn’t necessarily mean they’ll have more time to fix problems that are unearthed. But the impact of their security debt can be managed so that if it grows, it does so at a slower and more predictable rate. This method also provides more visibility into the problem so that it can be brought to the attention of people with budgetary authority.

Companies will naturally have a varying amount of resources to put towards prioritization tasks. If they choose to rely on a basic scanner, they will need to allot more resources to the people who address vulnerabilities, in order to deal with a minimally targeted list. On the other hand, if an organization has more personnel and expertise in Security and Development, they may choose to devote those resources to creating a customized solution.


Challenges of Customization

Based on the evidence presented, it may seem as though a customized solution should be the goal to aspire to. While a nuanced approach is certainly desirable, even the choice to “roll your own” can be fraught with issues. The first (and possibly most thorny) issue is that the data your company has may first need to be cleansed in order to be useful, and regularly maintained to retain its value.

If multiple vulnerability scanners are used, it can be very difficult to correlate the data from those scanners so that you can be sure you’re comparing apples to apples. Asset lists also frequently require consolidation and deduplication to be useful. Context that comes from internal stakeholders about the importance of assets naturally tends to be rather subjective, where the given ratings may vary from one group to another. And data that is not kept up to date loses meaning very quickly.

Another problem that companies are facing is that authors of proprietary tools will eventually retire or move on to other positions, taking their expertise with them. This often leads to the tool becoming less useful. These tools are often created for very specific problems, and not designed with the flexibility to change as the environment and business evolves.


A Purpose-built Tool

Of all the possibilities, the best option is to own a tool that is purpose-built to automate both the cleansing of data and robust prioritization of vulnerabilities on a continuous basis. NorthStar Navigator was built for this.

NorthStar Navigator allows the input of your own data sources regarding assets from a wide variety of sources, including results from multiple vulnerability scanners. We aggregate, consolidate, correlate and deduplicate this data for you so that you don’t have to. The result of this data transformation is what we call SuperLists, which provide insights based on analysis of that data. Through the front-end UI our product allow you to input as many attributes and fields as you need to define importance, and we’ll calculate it based on that information. This provides you with a more objective classification.

Organizations that are currently relying solely on basic vulnerability scans can now improve their to-do list so that they can focus on the biggest risks to their environment. And businesses that are creating their own tools or databases can save significant time in cleansing their data while also improving the longevity and functionality of their information.

Owning a tool that performs all of these tasks saves time and money. While you achieve the benefits of a nuanced approach to prioritization, you also get the simplicity of trusting a tool to do all of the heavy lifting.

To learn more about how risk-based vulnerability management can help you focus your remediation efforts on the vulnerabilities and assets that matter most, connect with our team: connect@northstar.io