The Foundation: Comprehensive Asset Inventory
Before you can identify which CVEs affect your systems, you must know exactly what software and hardware you have. Many organizations struggle because they lack accurate asset inventory. Unauthorized software, shadow IT systems, and undocumented dependencies hide vulnerabilities.
Create and maintain a comprehensive asset inventory including:
Software components:
- Operating systems and versions
- Applications and services
- Libraries and frameworks
- Open-source components and their versions
- Browser extensions and plugins
- Database systems and versions
Hardware components:
- Server models and firmware versions
- Network devices (routers, switches, firewalls)
- Physical security systems
- IoT devices and their firmware
- Laptop and desktop models
Development and build tools:
- Container images and base images
- Build system components
- CI/CD pipeline tools
- Development libraries and dependencies
The accuracy of your CVE identification depends entirely on the accuracy of your asset inventory. Undocumented systems cannot be assessed for vulnerabilities.
Method 1: Manual CVE Database Searching
The most direct method is searching CVE databases manually:
National Vulnerability Database (NVD): The official U.S. government database at nvd.nist.gov. Search by:
- Product name: Find all CVEs for a product (e.g., "Apache Tomcat")
- Vendor name: Find all CVEs from a vendor (e.g., "Adobe")
- CVE ID: Look up specific CVE identifiers
- Date range: Find CVEs disclosed during a period
- CVSS severity: Filter by severity rating
Once you've found relevant CVEs, the NVD provides:
- Detailed description of the vulnerability
- Affected products and versions
- CVSS scores
- References to vendor advisories and patches
- Related CWE (Common Weakness Enumeration) IDs
Vendor security advisories: Major software vendors publish security bulletins on their own websites:
- Microsoft Security Update Guide (security.microsoft.com)
- Apple Security Updates (support.apple.com/en-us/HT201222)
- Adobe Security Advisories (adobe.com/support/security)
- Linux vendor advisories (Red Hat, Canonical, etc.)
These advisories often provide early notification and details specific to each vendor's products.
Open-source project pages: For open-source software, check:
- Project GitHub repositories for security advisories
- Project websites and release notes
- Open-source vulnerability databases (GitHub Advisory Database, Snyk, etc.)
This manual method works for periodic audits but becomes time-consuming with large software inventories.
Method 2: Vulnerability Scanning Tools
Vulnerability scanning tools automate the process of identifying installed software and checking it against known vulnerabilities.
Host-based vulnerability scanners (Nessus, Qualys, Rapid7 Nexpose) scan individual computers and servers. These tools:
- Scan the system to identify installed software and versions
- Check against vulnerability databases for known CVEs
- Generate reports listing detected vulnerabilities with severity ratings
- Often provide remediation recommendations
Host-based scanners can identify vulnerabilities in:
- Operating system packages
- Third-party applications
- Services and daemons
- Configuration issues that might enable exploitation
Network vulnerability scanners scan from the network to identify services listening on network ports and detect vulnerabilities in:
- Web servers and services
- Database services
- Remote access services
- Network appliances and infrastructure
Network scanners don't require agent software on each system but might miss vulnerabilities in services not listening on network ports.
Container and image scanners scan Docker images and container registries for vulnerable components:
- Trivy: Open-source, scans container images and Git repositories
- Anchore: Container image scanning with detailed vulnerability reports
- Aqua Security: Commercial container security platform
- Docker Scout: Built-in scanning for Docker images
Container scanning is essential for organizations using containerized applications and microservices architectures.
Method 3: Dependency and Software Composition Analysis
For development teams, understanding what libraries and dependencies your code uses is critical.
Software Composition Analysis (SCA) tools scan your codebase and identify all dependencies and their versions:
- Snyk: Scans package files (package.json, requirements.txt, etc.) and identifies vulnerable dependencies
- Dependency-Check: Open-source tool from OWASP that identifies known vulnerabilities
- WhiteSource (JFrog): Commercial SCA tool for comprehensive dependency analysis
- Black Duck: Commercial tool for open-source risk management
These tools integrate into development pipelines to catch vulnerable dependencies during:
- Code commits (pre-commit scanning)
- Continuous Integration (build-time scanning)
- Pull request reviews (automated security review)
- Production deployment (final verification)
For each vulnerable dependency, these tools provide:
- Identified CVE IDs
- Severity scores
- Available patches or updated versions
- Remediation guidance
This approach catches vulnerabilities in third-party and open-source components before they reach production.
Method 4: Configuration Management Database (CMDB) Integration
Organizations with mature IT operations often have Configuration Management Databases tracking all IT assets and their configurations. Connecting your CMDB to vulnerability management systems enables:
- Automated cross-referencing of installed software against CVE databases
- Immediate alerts when new CVEs affect your software inventory
- Tracking of remediation status across the organization
- Compliance reporting on vulnerability assessment
CMDB systems (ServiceNow, BMC Atrium, etc.) provide the single source of truth for what's running in your environment.
Method 5: Real-time CVE Monitoring and Alerts
Rather than periodically scanning for vulnerabilities, set up monitoring for new CVE disclosures:
RSS feeds and email alerts:
- NVD provides RSS feeds for new CVE disclosures
- Vendor security advisories offer email subscriptions
- Security research organizations publish CVE alerts
These provide notification as soon as new CVEs are disclosed, enabling rapid assessment of whether your systems are affected.
Specialized threat intelligence platforms:
- Recorded Future: Aggregates CVE information with threat intelligence
- CrowdStrike Falcon: Threat intelligence with CVE tracking
- Tenable Vulnerability Management: Continuous monitoring with alerts
- Rapid7 InsightVM: Continuous monitoring and assessment
These platforms continuously monitor your assets and CVE databases, alerting you when new vulnerabilities matching your asset inventory are disclosed.
Security advisory aggregators:
- Feedly (with security content): Aggregates advisories from multiple sources
- Google Alerts: Monitor for CVEs by product name
- Twitter and security researcher accounts: Follow active security researchers
Method 6: Penetration Testing and Professional Assessment
For critical systems, professional penetration testing and vulnerability assessments by external security firms can identify:
- Vulnerabilities that automated scanning misses
- Exploitable combinations of vulnerabilities
- Misconfigurations that create vulnerability conditions
- Logic flaws and application vulnerabilities
Professional assessments complement automated scanning, catching issues in custom applications and complex environments where scanners might miss issues.
Practical Implementation Workflow
An effective CVE identification process combines multiple methods:
-
Establish baseline asset inventory: Document all systems, software, and versions
-
Implement automated scanning: Deploy vulnerability scanners across your environment
-
Integrate dependency scanning: Include SCA tools in development pipelines
-
Set up CVE monitoring: Subscribe to alerts for new disclosures
-
Establish regular assessment schedule:
- Critical systems: Monthly or quarterly scans
- Important systems: Quarterly scans
- Standard systems: Annual scans
-
Respond to alerts: When new CVEs are disclosed, immediately assess impact on your systems
-
Verify remediation: After patches are applied, re-scan to confirm vulnerabilities are resolved
Overcoming Common Challenges
Overwhelming vulnerability volume: With thousands of CVEs disclosed annually, focus on:
- High and critical severity vulnerabilities first
- Vulnerabilities affecting systems you actually have
- Vulnerabilities with active exploits available
- Vulnerabilities affecting internet-facing systems
Lack of asset visibility: Start by:
- Conducting network discovery to identify unknown systems
- Interviewing business units about systems they operate
- Checking DNS records, firewalls, and load balancers for clues
- Gradually building accurate asset inventory
Legacy systems difficult to update: For systems that can't be patched:
- Implement compensating controls (network segmentation, access restrictions)
- Monitor for exploitation attempts
- Plan migration to supportable systems
- Document risk acceptance for unpatched systems
Third-party and supply chain vulnerabilities:
- Require vendors to disclose vulnerabilities and patches
- Monitor your dependencies for vulnerable sub-dependencies
- Implement software bill of materials (SBOM) requirements
- Track vendors' security practices
Tools Summary
For different organizational needs:
Small organizations/budget-constrained: Free tools like Dependency-Check, Trivy, and NVD searches
Mid-market organizations: Nessus Professional, Snyk, or Qualys for comprehensive scanning
Enterprise organizations: Tenable, Rapid7 InsightVM, or Qualys for continuous monitoring and platform capabilities
Development-focused: Snyk, Dependabot, or GitLab security features integrated into development workflows
Conclusion
Finding CVEs affecting your systems requires combining asset inventory, automated scanning, dependency analysis, and ongoing monitoring. No single tool or method catches all vulnerabilities—a layered approach combining automated scanning, manual review, monitoring, and professional assessment provides comprehensive coverage. Start with accurate asset inventory, implement automated scanning, monitor for new CVE disclosures, and regularly assess your systems. With these practices in place, you can systematically identify and manage vulnerabilities before attackers exploit them.
