Vulnerability management is the systematic process of identifying, evaluating, treating, and reporting security vulnerabilities. With thousands of new CVEs published annually, organizations need structured approaches to prioritize remediation and reduce risk effectively.
Understanding Vulnerabilities
What Is a CVE?
CVE (Common Vulnerabilities and Exposures) is a standardized identifier for publicly known security vulnerabilities.
CVE format: CVE-YYYY-NNNNN
- YYYY: Year of assignment
- NNNNN: Sequential number
Example: CVE-2021-44228 (Log4Shell)
CVE Databases
📚 NVD vs MITRE CVE Differences: Understanding the CVE ecosystem.
| Database | Role | Content |
|---|---|---|
| MITRE CVE | CVE ID assignment | Basic descriptions |
| NVD | Enrichment | CVSS scores, CPE, references |
| Vendor advisories | Patches | Fix information |
📚 NVD Update Frequency: How long until CVEs are enriched.
Finding Relevant CVEs
📚 Finding CVEs Affecting Your Systems: Systematic CVE discovery.
Methods:
- Vulnerability scanners (Qualys, Tenable, Rapid7)
- Software composition analysis (SCA)
- Vendor security bulletins
- NVD/CVE database searches
- Security mailing lists
CVSS Scoring
CVSS (Common Vulnerability Scoring System) provides standardized severity ratings.
📚 CVSS Scoring System Explained: Deep dive into CVSS metrics.
CVSS 3.1 Score Ranges
| Score | Severity | Typical Response |
|---|---|---|
| 0.0 | None | Informational |
| 0.1-3.9 | Low | Schedule remediation |
| 4.0-6.9 | Medium | Remediate within 30 days |
| 7.0-8.9 | High | Remediate within 7 days |
| 9.0-10.0 | Critical | Immediate response |
CVSS Metric Groups
Base Metrics (inherent characteristics):
- Attack Vector (Network, Adjacent, Local, Physical)
- Attack Complexity (Low, High)
- Privileges Required (None, Low, High)
- User Interaction (None, Required)
- Scope (Unchanged, Changed)
- Impact (Confidentiality, Integrity, Availability)
Temporal Metrics (change over time):
- Exploit Code Maturity
- Remediation Level
- Report Confidence
Environmental Metrics (organization-specific):
- Modified Base Metrics
- Security Requirements (CIA)
Patch Prioritization
CVSS alone isn't sufficient for prioritization—context matters.
📚 Prioritizing Which CVEs to Patch First: Risk-based prioritization strategies.
Prioritization Factors
| Factor | Consideration |
|---|---|
| CVSS score | Baseline severity |
| Exploitability | Is exploit code available? |
| Active exploitation | Is it being used in attacks? |
| Asset criticality | Business impact of affected system |
| Exposure | Internet-facing vs internal |
| Compensating controls | Mitigations in place |
SSVC: Stakeholder-Specific Vulnerability Categorization
CISA's SSVC framework provides decision-tree prioritization:
- Track: Remediate within normal cycles
- Track*: Closer monitoring required
- Attend: Remediate sooner than normal
- Act: Immediate action required
Patch Timeline Expectations
📚 CVE Patch Timeline: From disclosure to patch availability.
Typical timelines:
- Critical vendor response: 24-72 hours
- Standard patch release: 30-90 days
- Coordinated disclosure: 90 days typical
Vulnerability Management Workflow
📚 Vulnerability Management Workflow: End-to-end process guide.
1. Asset Discovery
You can't protect what you don't know about:
- Network scanning
- Agent-based discovery
- CMDB integration
- Cloud API inventory
2. Vulnerability Scanning
Regular scanning identifies vulnerabilities:
- Frequency: Weekly to continuous
- Coverage: All assets
- Authentication: Credentialed scans for accuracy
- Scope: Network, web applications, containers
3. Prioritization
Apply risk-based prioritization:
- Filter by exploitability and exposure
- Weigh asset criticality
- Consider compensating controls
- Focus on actionable findings
4. Remediation
Execute patches and fixes:
- Emergency patches for critical/exploited
- Scheduled maintenance windows
- Change management process
- Validation testing
5. Verification
Confirm remediation success:
- Re-scan affected systems
- Verify patch installation
- Test application functionality
- Close vulnerability records
6. Reporting
Track metrics and communicate:
- Mean time to remediate (MTTR)
- Vulnerability counts by severity
- Remediation SLA compliance
- Risk reduction over time
Tools and Resources
| Tool | Purpose |
|---|---|
| CVE Lookup | Search and analyze CVE details |
Vulnerability Management Maturity
Level 1: Ad Hoc
- Reactive patching
- No formal process
- Limited visibility
Level 2: Defined
- Regular scanning schedule
- Basic prioritization
- Manual tracking
Level 3: Managed
- Risk-based prioritization
- SLA tracking
- Automated scanning
Level 4: Optimized
- Continuous monitoring
- Predictive analysis
- Integration with threat intel
- Automated remediation
Best Practices
- Scan continuously, not just quarterly
- Prioritize ruthlessly—you can't patch everything immediately
- Track exploited vulnerabilities (CISA KEV catalog)
- Measure and improve remediation times
- Automate where possible
- Communicate risk in business terms
Conclusion
Effective vulnerability management balances comprehensive coverage with practical prioritization. Focus on:
- Visibility: Know your assets and their vulnerabilities
- Prioritization: Use risk-based approaches, not just CVSS
- Speed: Reduce mean time to remediate
- Measurement: Track metrics and demonstrate improvement
The goal isn't zero vulnerabilities—it's managing risk effectively with limited resources. A mature vulnerability management program reduces your attack surface systematically while enabling business operations.
