Vulnerability Management: Definition, Process, and Tools

Learn about the critical process of vulnerability management, the standard definition of vulnerabilities, and how to manage vulnerabilities in your organization

What is Vulnerability Management?

Vulnerability management is an organized attempt to identify, classify, and remediate vulnerabilities in computer systems. Some of the world’s biggest data breaches were caused by known vulnerabilities that could have easily been remediated, and would have been prevented by an effective vulnerability management process. 

The modern IT stack is complex and includes many components that could have security weaknesses or vulnerabilities, such as:

  • Operating systems
  • Applications and workloads
  • Containers and serverless functions
  • Servers and endpoints
  • Cloud systems and configurations
  • Firewalls and other security tools
  • Network equipment
  • Internet of Things (IoT) devices

Vulnerability management aims to provide comprehensive coverage of as many infrastructure elements as possible, scanning them on an ongoing basis to identify vulnerabilities, and making it easy for teams to remediate them as they are discovered. The process must be continuous, because new vulnerabilities are discovered all the time, and IT infrastructure is also subject to constant change.

In this article, you will learn:

Why Do Organizations Need Vulnerability Management?

Attackers are always looking for vulnerabilities to exploit, both new, zero-day vulnerabilities and old, known vulnerabilities that may not have been fixed. To protect an organization, it is important to implement a vulnerability management framework that regularly checks for vulnerabilities and enables remediation.

The following statistics demonstrate the importance of vulnerability management:

  • In the year 2020 alone more than 18,000 vulnerabilities were published in the National Vulnerability Database (NVD), up 4% from the previous year.
  • Over 40% of external web application vulnerabilities have high severity, according to an EdgeScan report.
  • According to the same report, the mean time to repair (MTTR) for web application vulnerabilities was 85 days. During this long period, attackers can easily exploit vulnerabilities and use them to cause damage or exfiltrate data.

How Are Vulnerabilities Defined?

Security vulnerabilities affect entire communities of organizations and users. In order to facilitate knowledge sharing and organized response to security threats, there are accepted standards for defining and codifying vulnerabilities.

The National Institute of Standards and Technology (NIST) publishes SCAP, a standard for defining vulnerabilities, which includes the following elements:

  • Common vulnerabilities and exposures (CVE)—a specific vulnerability discovered in a computer system which can enable attacks 
  • Common configuration enumeration (CCE)—configuration issues with a certain system that could cause security concerns 
  • Common platform enumeration (CPE)—identifies a group of software applications or devices that could be affected by the same vulnerabilities
  • Common vulnerability scoring system (CVSS)—defines the severity of a vulnerability, between 0 and 10

There are many open vulnerability databases that follow the SCAP conventions, including:

Vulnerability Management Process

The vulnerability management process includes the following main stages: identification, evaluation, remediation, and reporting.

Identification

The Center for Internet Security advises performing automated vulnerability scans at least once per week. Organizations with CI/CD development pipelines may need to scan for vulnerabilities in their code and components several times a day. 

Organizations need to map out IT assets and may need to use different vulnerability scanners for each type of assets:

  • Open source components
  • Proprietary code
  • Running applications
  • Operating systems
  • Cloud native infrastructure

Related content: learn more in our guides to:

Evaluation

Once the organization has a list of vulnerabilities discovered across its systems, it is important to classify and prioritize them using factors such as:

  • CVSS severity scores
  • Ease of exploitation
  • Business impact of a breach
  • Compensating security controls

Penetration testing can help identify which vulnerabilities have the biggest real world impact and can facilitate damaging data breaches. 

Remediation

Vulnerability management tools typically recommend a remediation for each vulnerability. There are three options for each vulnerability you discover:

  • Remediate—fix the vulnerability by applying a patch, replacing a vulnerable component, etc., and rerunning the vulnerability scan to validate the fix.
  • Mitigate—taking steps to reduce the impact of a vulnerability until it can be fixed, for example, isolating affected systems from the network.
  • No action—in reality it is impossible for organizations to remediate all vulnerabilities. Some vulnerabilities which have lower severity or impact can be safely ignored.

Reporting

Vulnerability management systems can provide automated reports that show which vulnerabilities were discovered and which were remediated across all IT systems. This can facilitate periodic review of vulnerability status, planning for remediation efforts, reporting to management, and addressing compliance obligations.

What are Vulnerability Management Tools?

Vulnerability management tools, sometimes known as vulnerability scanning tools, can help identify weaknesses in IT systems. They all have some sort of classification system, identifying vulnerabilities on a spectrum from low to high severity, and allowing organizations to prioritize the most impactful vulnerabilities.

A comprehensive vulnerability management solution requires the following features:

  • Vulnerability scanning—uses automated tools such as configuration scanning, network scanning, firewall log analysis, and automated penetration testing.
  • Identifying vulnerabilities—analyzes results of scans, identifying and reporting vulnerabilities that exist in the environment. 
  • Prioritizing vulnerabilities—identifying the systems and environment layers affected by each vulnerability, and providing information about its severity, impact, and root causes.
  • Remediation recommendations—providing guidance and instructions on how to remediate the vulnerability.
  • Vulnerability patching—some vulnerability management systems can automatically apply a patch to affected systems, or take other measures, such as changing firewall rules, to block the discovered attack vector.
  • Vulnerability shielding—in cases where it is difficult or impossible to fix a vulnerability at its source, some solutions enable virtual patching or shielding, which add controls to prevent the exploitation of a vulnerability. For example, if the vulnerability is based on accessing a specific file, the solution would protect access to this file.

Learn more About Vulnerability Management

Open Source Vulnerability Scanning: Methods and Top 5 Tools

Open source vulnerability scanners, often used as part of Software Composition Analysis (SCA) tools, are used to detect open source components used in software projects, and check if they contain unpatched  security vulnerabilities, and help organizations remediate them. These tools scan complex dependency trees, because vulnerabilities can be found in a dependent library used by the main component or brought into an application during the build phase.  Learn how open source vulnerability scanning works and discover tools that can help you identify and remediate vulnerabilities in OSS components and containers. 

Read more: Open Source Vulnerability Scanning: Methods and Top 5 Tools

Trivy Vulnerability Scanner Adopted by Leading Cloud Native Platforms

Trivy is a comprehensive and easy-to-use open source vulnerability scanner for container images. Unlike other open source scanners, Trivy covers both OS packages and language-specific dependencies and is extremely easy to integrate into organizations’ software development pipelines. Trivy vulnerability scanner is being added as an integrated option in the CNCF’s Harbor registry, in GitLab, and in Mirantis Docker Enterprise.

Read more: Trivy Vulnerability Scanner Adopted by Leading Cloud Native Platforms