The term vulnerability management applies to an IT security process for handling a cybersecurity vulnerability from the moment it is discovered (manually or automatically) to its resolution. This process may include vulnerability assessment and prioritization, temporary mitigation using a firewall or WAF, creating tickets or issues in management systems, manual validation, retesting after remediation efforts are completed, and more. The formal definition of vulnerability management is: the cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities.
Vulnerability management processes apply equally well to network security vulnerabilities and web application security vulnerabilities. While the two attack surfaces are very different and require different types of remediation, the vulnerability management program is very similar. Malware, access control issues, and endpoint security issues (including configuration errors) are rarely considered vulnerabilities.
In the case of network security, vulnerability management usually correlates with patch management because network vulnerability remediation is all about applying patches for known vulnerabilities. Web application security vulnerability management, on the other hand, often includes not just vulnerabilities but also misconfigurations. Vulnerability management is also often considered a part of broader risk management aimed at assessing the entire security posture of an organization and its IT assets.
Vulnerability management software includes both dedicated vulnerability management solutions and products that incorporate some vulnerability management functionality.
Vulnerability management solutions may be divided into three classes:
Because vulnerability management for network security and web application security is very similar, many solutions from all three classes are able to manage both network and web application security vulnerabilities (for example, Acunetix). Other solutions, especially the integrated ones, are dedicated to either network or web application vulnerabilities.
Vulnerability management solutions are typically available as cloud platforms (SaaS), but on-premises solutions for various operating systems also exist. These would be selected by organizations with information security requirements that restrict the use of cloud-based solutions.
The vulnerability management processes may include different activities, depending on the level of automation and integration. Here are some examples.
Vulnerability management is the process of handling a cybersecurity vulnerability from the moment it is discovered to its resolution. The formal definition of vulnerability management is: the cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities.
Learn how to manage vulnerabilities directly in Invicti Enterprise.
Vulnerability management may be handled by a dedicated tool but is often included in another security solution, such as a DAST product, or done using issue management tools such as Jira. Most organizations prefer to manage vulnerabilities using the same products they use to manage software development and bugs.
Find out how to integrate Invicti with popular issue management tools.
Many organizations need to combine vulnerability management in their development processes with handling test results from staging and production environments. Built-in vulnerability management features in AppSec products such as Invicti and Acunetix can work well for highly integrated DevSecOps pipelines. To combine vulnerability management across application security testing and external sources of vulnerability intelligence, you would typically feed all vulnerability information into a central issue tracking system or a dedicated management tool.
Read about the advantages of ongoing vulnerability management for web applications.