Resources/Security Concepts

Vulnerability Management Lifecycle

A comprehensive framework for discovering, prioritizing, and remediating security vulnerabilities effectively.

Understanding Vulnerability Management

Vulnerability management is the systematic process of identifying, evaluating, treating, and reporting on security vulnerabilities across an organization's systems and software. Unlike one-time security assessments, vulnerability management is an ongoing operational process.

Effective vulnerability management reduces organizational risk by ensuring vulnerabilities are discovered quickly and remediated before attackers can exploit them. However, the volume of vulnerabilities in modern environments makes systematic prioritization essential—not every vulnerability deserves immediate attention.

The Vulnerability Management Lifecycle

Phase 1: Discovery

Discovery involves identifying vulnerabilities across your environment through multiple sources and methods.

Discovery Sources:

  • Automated Scanning: Network vulnerability scanners, web application scanners, container scanners, dependency scanners
  • Penetration Testing: Validates exploitability, discovers business logic flaws, provides proof-of-concept evidence
  • Bug Bounty Programs: External researchers report vulnerabilities through structured programs
  • Threat Intelligence: Vendor advisories, CVE database monitoring, industry threat feeds
  • Internal Sources: Developer-reported concerns, code review findings, security champion escalations

Discovery Best Practices:

  • Maintain accurate asset inventory—you can't secure what you don't know about
  • Use multiple discovery methods; no single source catches everything
  • Ensure scanner credentials have appropriate access for authenticated testing
  • Schedule scans to minimize operational impact while maintaining coverage
  • Validate scanner findings to reduce false positive noise

Phase 2: Prioritization

With potentially thousands of vulnerabilities to address, prioritization determines where to focus limited remediation resources.

CVSS: Common Vulnerability Scoring System

CVSS provides a standardized way to assess vulnerability severity on a 0-10 scale based on:

  • Attack vector (Network, Adjacent, Local, Physical)
  • Attack complexity (Low, High)
  • Privileges required (None, Low, High)
  • User interaction (None, Required)
  • Confidentiality, Integrity, and Availability impact
Score Range Severity
9.0 - 10.0 Critical
7.0 - 8.9 High
4.0 - 6.9 Medium
0.1 - 3.9 Low

Context-Aware Prioritization

CVSS alone is insufficient. A CVSS 9.0 vulnerability on an isolated test system may be lower priority than a CVSS 6.0 issue on an internet-facing payment system.

Consider a risk rating that incorporates:

  • Asset Criticality (1-5): Core business systems, customer data stores score higher
  • Exposure Factor (1-3): Internet-facing vs. internal vs. isolated
  • Threat Factor (1-3): Active exploitation vs. public exploit vs. theoretical

EPSS: Exploit Prediction Scoring System

EPSS predicts the likelihood of a vulnerability being exploited in the wild within 30 days. Combining CVSS severity with EPSS probability creates actionable prioritization:

  • High CVSS + High EPSS = Immediate priority
  • High CVSS + Low EPSS = Important but less urgent
  • Low CVSS + High EPSS = May warrant attention despite low severity

Phase 3: Remediation

Remediation involves eliminating or reducing the risk posed by identified vulnerabilities.

Remediation Options:

  • Patching: Applying vendor-supplied fixes (most complete remediation)
  • Configuration Changes: Hardening settings, strengthening access controls
  • Compensating Controls: WAFs, network segmentation, enhanced monitoring
  • Workarounds: Temporary measures when patches aren't available
  • Code Fixes: Custom remediation for proprietary applications
  • Acceptance: Documented decision to accept risk with compensating controls

Remediation Workflow:

  1. Assignment: Route to appropriate owner based on system ownership
  2. Validation: Owner confirms vulnerability applies in their context
  3. Planning: Determine approach, test requirements, change window
  4. Testing: Validate fix in non-production environment
  5. Implementation: Apply fix during approved change window
  6. Verification: Confirm vulnerability resolved through rescanning or testing
  7. Documentation: Update tracking system with resolution details

Phase 4: SLA Setting and Tracking

Service Level Agreements establish expectations for remediation timelines based on risk.

Risk Level Description Remediation SLA
Critical Internet-facing, active exploitation, critical systems 24-72 hours
High Exploitable vulnerabilities on important systems 7-14 days
Medium Moderate risk vulnerabilities 30-60 days
Low Minor vulnerabilities, limited impact 90 days

Key Metrics to Track:

  • Total open vulnerabilities by severity
  • New vulnerabilities discovered per period
  • Vulnerabilities remediated per period
  • Mean time to remediate (MTTR) by severity
  • SLA compliance rate
  • Backlog trends over time

Phase 5: Exception Management

Not every vulnerability can or should be remediated within standard SLAs. A formal exception process provides a controlled path.

Exception Types:

  • Risk Acceptance: Organization accepts risk for defined period with compensating controls
  • Remediation Deferral: Fix delayed with interim mitigations and new target date
  • False Positive: Technical justification that issue doesn't apply

Exception Process:

  1. Owner submits request with justification
  2. Security evaluates risk and proposed compensating controls
  3. Appropriate authority approves based on risk level
  4. Document with justification, controls, and expiration
  5. Monitor status and expiration
  6. Require fresh justification for extensions

Exception Governance: Limit duration (quarterly maximum common), require compensating controls for high-severity issues, review periodically, track trends.

Building an Effective Program

Organizational Requirements:

  • Clear ownership of program vs. individual remediation
  • Executive support for prioritization decisions
  • Cross-functional collaboration between IT, development, and security
  • Adequate resources for tools and staffing

Process Integration: Connect vulnerability management to change management, incident response, development pipelines, and risk management.

Common Pitfalls:

  • Alert fatigue from unfiltered low-priority findings
  • Scanner-only focus missing context-dependent issues
  • Metrics gaming by closing easy issues
  • Siloed operation reducing overall effectiveness

Validating Vulnerability Remediation

The lifecycle doesn't end at remediation—validation confirms fixes actually work.

Validation Approaches:

  • Rescanning: Fastest but has same scanner limitations
  • Penetration Testing: Higher confidence, tests for related issues
  • Code Review: Catches incomplete fixes and root cause issues

On-demand penetration testing is valuable for validation because it quickly confirms high-priority fixes without waiting for scheduled assessments. When a critical vulnerability is remediated, immediate testing provides confidence the fix works.

Need to validate your vulnerability remediation? RedVeil provides on-demand penetration testing that confirms your fixes work—with validated, exploitable findings instead of scanner noise. Start testing at app.redveil.ai.

Previous

What is an Attack Path

Next

Threat Modeling for Development Teams

Ready to run your own test?

Start your first RedVeil pentest in minutes.

Start your pentestBook a demo