Vulnerability Management
2025-01-01

Overview#

Vulnerability management keeps software, infrastructure, and devices resilient by continuously identifying weaknesses and driving timely fixes. A credible program blends automated discovery with risk-based prioritization, owner accountability, and verification that remediations actually landed.

Core objectives#

  • Maintain a complete, current inventory of assets with clear ownership.
  • Detect vulnerabilities from multiple sources: scanners, SBOM feeds, bug bounty, threat intelligence, and vendor advisories.
  • Prioritize findings using exploitability, business impact, and exposure window—not just CVSS scores.
  • Ensure remediation or compensating controls are tracked to closure with evidence.

Implementation notes#

  • Standardize scanning cadences: authenticated scans for servers, agent-based coverage for endpoints, and dependency scans in CI/CD.
  • Create service-level objectives (e.g., critical in 7 days, high in 14) with automatic breach notifications to owners.
  • Integrate ticket creation with asset owners and include fix guidance, test cases, and rollback steps.
  • For exceptions, require risk acceptance with expiry dates and periodic review.

Operational signals#

  • Leading indicators: rising backlog of criticals, scan coverage gaps, or repeated deferrals for the same asset groups.
  • Lagging indicators: incidents tied to known-but-unfixed CVEs, failed audits, or regulator findings.
  • Feedback loops: weekly risk review of top 10 assets, patch success rates, and rescans to confirm closure.

Runbook essentials#

  • New CVE workflow: identify affected assets via SBOM or inventory tags → notify owners → assign due dates based on severity → validate fixes via rescan.
  • Zero-day handling: apply vendor mitigations, isolate exposed services, enable WAF/IPS signatures, and plan patching windows.
  • Maintenance windows: coordinate with change management to avoid outages and ensure back-out plans exist.
  • Patch management, configuration baselines, and secure build pipelines reduce recurring vulnerabilities.
  • Threat intelligence helps re-rank findings when exploitation in the wild emerges.
  • Detection engineering should watch for exploitation attempts of unpatched items while remediation is underway.