Vulnerability Management

Created: 2025-12-04 15:45
#note

Vulnerability management is the continuous process of identifying, classifying, prioritizing, remediating, and mitigating security vulnerabilities across an organization's IT infrastructure and applications. It's a critical ongoing activity in the Secure SDLC operations and maintenance phase that bridges the gap between vulnerability discovery and risk reduction.

Overview

While tools like Static Code Analysis, Third-Party Dependency Scanning, and Penetration Testing identify vulnerabilities, vulnerability management is the holistic process of handling these findings throughout their lifecycle. It ensures that vulnerabilities don't just get discovered—they get fixed or appropriately mitigated based on risk.

Vulnerability Management Lifecycle

1. Discovery and Identification

Finding vulnerabilities through multiple sources:

Static Code Analysis findings
Third-Party Dependency Scanning results
Penetration Testing reports
Vulnerability scanners (Nessus, Qualys, Rapid7)
Security advisories and CVE notifications
Bug bounty program submissions
Security Monitoring detections
Security research and threat intelligence

2. Classification and Assessment

Understanding the nature of vulnerabilities:

CVE (Common Vulnerabilities and Exposures) identification
CWE (Common Weakness Enumeration) categorization
CVSS (Common Vulnerability Scoring System) scoring
Vulnerability type classification (injection, XSS, misconfiguration, etc.)
Affected systems and applications inventory

3. Prioritization

Risk-based prioritization considering:

Severity: CVSS base score (Critical, High, Medium, Low)
Exploitability: Is there a public exploit? Is it being actively exploited?
Asset Criticality: How important is the affected system?
Exposure: Is it on the internet-facing attack surface?
Data Sensitivity: Does it protect sensitive data?
Compensating Controls: Are there mitigating security controls?
Business Context: Impact on business operations
Threat Intelligence: Active threats targeting this vulnerability

4. Remediation

Fixing or mitigating vulnerabilities:

Patch: Apply vendor-provided patches (Patch Management)
Update: Upgrade to a fixed version
Configuration Change: Adjust settings to eliminate vulnerability
Code Fix: Modify application code
Remove: Eliminate vulnerable component if not needed
Compensating Control: Add security controls when fix isn't immediately possible

5. Verification

Confirming vulnerabilities are resolved:

Rescan with vulnerability scanners
Manual testing or Penetration Testing
Code review for application fixes
Configuration validation
Update vulnerability tracking system

6. Reporting and Documentation

Maintaining records and metrics:

Vulnerability inventory and status
Time to remediation metrics
Trends and patterns
Compliance reporting
Risk acceptance documentation
Lessons learned

Prioritization Frameworks

CVSS (Common Vulnerability Scoring System)

Standard framework with scores 0-10:

Base Score: Intrinsic vulnerability characteristics
Temporal Score: Time-sensitive factors (exploit availability)
Environmental Score: Organization-specific factors

CVSS v3.1 Severity Ratings

Critical: 9.0-10.0
High: 7.0-8.9
Medium: 4.0-6.9
Low: 0.1-3.9

EPSS (Exploit Prediction Scoring System)

Predicts likelihood of exploitation:

Machine learning model
Based on real-world exploitation data
Complements CVSS
Helps prioritize patching efforts

SSVC (Stakeholder-Specific Vulnerability Categorization)

Decision tree approach:

Exploitation status
Technical impact
Automatable exploitation
Mission impact

Risk-Based Prioritization

Custom scoring considering:

Vulnerability severity (CVSS)
Asset criticality
Threat intelligence
Business impact
Exposure level
Compliance requirements

Remediation SLAs

Define time-to-fix targets based on severity:

Example SLA Framework

Critical: 7 days
High: 30 days
Medium: 90 days
Low: 180 days or next maintenance window

Factors Affecting SLAs

Asset location (internet-facing vs internal)
Data sensitivity
Active exploitation in the wild
Availability of patches
Change management constraints
Business impact of downtime

Vulnerability Tracking

Essential Information

Unique identifier (internal ID + CVE if applicable)
Discovery date and source
Affected assets and applications
Severity and risk score
Status (New, In Progress, Remediated, Accepted, etc.)
Assigned owner
Remediation plan
Target remediation date
Verification method
Notes and comments

Status Workflow

New/Open: Recently discovered
Triaged: Assessed and prioritized
In Progress: Remediation underway
Pending Verification: Fix deployed, awaiting confirmation
Verified: Fix confirmed effective
Closed: Successfully remediated
Risk Accepted: Decision made not to fix
False Positive: Not actually a vulnerability

Risk Acceptance

Sometimes vulnerabilities cannot or should not be fixed immediately:

Valid Reasons for Acceptance

Extremely low likelihood of exploitation
Extensive compensating controls in place
Cost of remediation exceeds risk
System being decommissioned soon
Business-critical system that can't be taken offline
No fix available from vendor

Risk Acceptance Process

Formal documentation of decision
Clear rationale and risk assessment
Approval from appropriate authority (CISO, risk committee)
Compensating controls documented
Regular re-evaluation
Defined expiration date for acceptance

Integration with Other Processes

Change Management

Vulnerability fixes flow through change control
Emergency change process for critical vulnerabilities
Testing requirements before deployment
Rollback procedures

Patch Management

Subset of vulnerability management focused on patches
Coordination of patch deployment
Testing in staging environments
Scheduled maintenance windows

Threat Modeling

Vulnerabilities inform threat model updates
Threat models guide vulnerability prioritization
Emerging threats drive reassessment

Security Monitoring

Monitoring for exploitation attempts
Prioritize vulnerabilities with active exploitation
Validate that patches don't break monitoring

Penetration Testing

Pen test findings feed into vulnerability management
Validate critical vulnerabilities are actually exploitable
Retest after remediation

Vulnerability Management Tools

Vulnerability Scanners

Nessus: Comprehensive vulnerability scanning
Qualys: Cloud-based scanning platform
Rapid7 InsightVM: Vulnerability management with analytics
OpenVAS: Open-source vulnerability scanner
Tenable.io: Modern cloud-based platform

Vulnerability Management Platforms

Kenna Security (Cisco): Risk-based vulnerability management
Brinqa: Unified vulnerability management and cyber risk
RiskSense: Risk-based prioritization platform
ServiceNow Security Operations: Integrated with ITSM
Qualys VMDR: Integrated detection and response

Integration Points

SIEM for Security Monitoring
CMDB for asset inventory
Ticketing systems (Jira, ServiceNow)
CI/CD pipelines for application vulnerabilities
Patch management systems
Threat intelligence platforms

Metrics and KPIs

Operational Metrics

Total Vulnerability Count: By severity
Vulnerability Density: Vulnerabilities per asset
Mean Time to Remediate (MTTR): By severity
SLA Compliance: Percentage meeting targets
Remediation Rate: Vulnerabilities fixed per time period
Backlog: Open vulnerabilities by age

Risk Metrics

Risk Score: Aggregated risk across organization
Critical Assets at Risk: High-severity vulnerabilities on key systems
Internet-Exposed Vulnerabilities: Public-facing risks
Trend Analysis: Improving or degrading over time

Coverage Metrics

Asset Coverage: Percentage of assets scanned
Scan Frequency: How often assets are assessed
Tool Coverage: Multiple detection methods employed

Challenges

Volume and Overload

Too many vulnerabilities to address
Alert fatigue from false positives
Limited resources for remediation

Prioritization Difficulty

CVSS doesn't always reflect real-world risk
Balancing multiple risk factors
Changing threat landscape

Organizational Silos

Disconnect between security and IT operations
Lack of ownership for remediation
Communication gaps

Resource Constraints

Limited security team capacity
Competing priorities
Maintenance window constraints

Technical Complexity

Legacy systems difficult to patch
Complex dependencies
Risk of breaking production systems

Best Practices

1. Automate Discovery

Continuous scanning, not point-in-time
Integrate vulnerability detection into CI/CD
Automated asset discovery
Multiple detection methods

2. Risk-Based Prioritization

Don't rely solely on CVSS
Consider asset criticality and exposure
Use threat intelligence
Incorporate business context

3. Define Clear Ownership

Assign vulnerability remediation to specific teams
Establish escalation paths
Clear SLAs and accountability

4. Integrate with Development

Shift left: Find vulnerabilities earlier
Developer training on secure coding
Integrate Static Code Analysis and Third-Party Dependency Scanning
Security champions in development teams

5. Measure and Report

Regular metrics and dashboards
Executive reporting on risk trends
Demonstrate improvement over time
Benchmarking against industry standards

6. Continuous Improvement

Learn from incidents
Refine prioritization criteria
Optimize workflows
Invest in automation

7. Coordinate with Patch Management

Aligned processes
Shared testing environments
Coordinated deployment windows
Clear communication

Compliance Requirements

Many regulations require vulnerability management:

PCI DSS: Quarterly external and internal vulnerability scans
HIPAA: Regular security assessments
SOC 2: Vulnerability management program
ISO 27001: Vulnerability management process
NIST CSF: Vulnerability management in Identify, Protect, Detect functions
GDPR: Security of processing, including vulnerability management