Vulnerability management

What is vulnerability management?

The term vulnerability management applies to an IT security process for handling a cybersecurity vulnerability from the moment it is discovered (manually or automatically) to its resolution. This process may include vulnerability assessment and prioritization, temporary mitigation using a firewall or WAF, creating tickets or issues in management systems, manual validation, retesting after remediation efforts are completed, and more. The formal definition of vulnerability management is: the cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities.

Vulnerability management processes apply equally well to network security vulnerabilities and web application security vulnerabilities. While the two attack surfaces are very different and require different types of remediation, the vulnerability management program is very similar. Malware, access control issues, and endpoint security issues (including configuration errors) are rarely considered vulnerabilities.

In the case of network security, vulnerability management usually correlates with patch management because network vulnerability remediation is all about applying patches for known vulnerabilities. Web application security vulnerability management, on the other hand, often includes not just vulnerabilities but also misconfigurations. Vulnerability management is also often considered a part of broader risk management aimed at assessing the entire security posture of an organization and its IT assets.

What are vulnerability management solutions?

Vulnerability management software includes both dedicated vulnerability management solutions and products that incorporate some vulnerability management functionality.

Vulnerability management solutions may be divided into three classes:

• Standalone vulnerability management solutions are dedicated to vulnerability management. They do not discover vulnerabilities on their own – their vulnerability databases interface with other systems to get vulnerability data. Standalone solutions have the disadvantage that you also need other software for vulnerability scanning. They are also not convenient for developers, who usually already have an issue tracking system. This makes standalone solutions the least efficient choice, especially when you need SDLC integration.
• Integrated vulnerability management solutions are built into network scanners, web vulnerability scanners (DAST), SAST, or even IAST solutions. They find a vulnerability, assess it, and then allow the business to manage it until resolution, in effect becoming a one-stop shop for handling vulnerabilities. An example of such a solution is Acunetix by Invicti. This approach to vulnerability management works great for SMBs, security consultants, and service providers such as MSSPs but not too well for larger organizations that already extensively use other issue management solutions.
• Issue tracker integrations for vulnerability management are the best choice for larger organizations. Issue trackers, such as Atlassian Jira, are used for all kinds of issues/tickets, not just vulnerabilities. You can therefore integrate the tracker with specialized security testing software such as Invicti to provide vulnerability management functions, including automatic prioritization based on vulnerability assessment and automatic rescanning after a manual issue status change.

Because vulnerability management for network security and web application security is very similar, many solutions from all three classes are able to manage both network and web application security vulnerabilities (for example, Acunetix). Other solutions, especially the integrated ones, are dedicated to either network or web application vulnerabilities.

Vulnerability management solutions are typically available as cloud platforms (SaaS), but on-premises solutions for various operating systems also exist. These would be selected by organizations with information security requirements that restrict the use of cloud-based solutions.

What does the vulnerability management process include?

The vulnerability management processes may include different activities, depending on the level of automation and integration. Here are some examples.

• In a manual vulnerability management process, a penetration testing team manually finds and categorizes vulnerabilities. This is a common approach for third-party periodic audits. The test team delivers a list of all discovered vulnerabilities and their details, sometimes simply as a document. This vulnerability data then has to be entered into a management system such as Jira (if used) and the security team must manually coordinate vulnerability remediation with the developers. This is a tedious and error-prone process involving manual processes and multiple stakeholders, so relying purely on periodic security audits to maintain security is not recommended for modern companies.
• In a shift-right semi-automatic vulnerability management process, the security team may perform periodic scans only on staging and live production environments using an integrated solution such as Acunetix. All vulnerabilities are automatically assessed by the solution and the data is stored in the built-in vulnerability management system. Developers can use the vulnerability management dashboard to mark resolved issues and automatically retest them with no need for a third-party tracker such as Jira. This workflow is recommended only for small businesses that do not use issue trackers.
• In a shift-left semi-automatic vulnerability management process, the initial scans are performed automatically as part of the SDLC. Many businesses use SAST solutions in the SDLC and integrate them with existing issue management systems. When the SAST scanner finds a vulnerability, it provides an initial vulnerability assessment and creates a ticket in the issue tracker. Then, the security team routinely verifies each issue manually, which is necessary due to the high rate of false positives in SAST systems. The next step is issue management and scheduling, for example, Scrum sprint planning. Finally, the issue is fixed by a developer and marked as resolved and, again, the security team performs manual verification to make sure the issue has truly been resolved.
• In a fully automatic vulnerability management process, scans are both performed during the SDLC (shift left) and run on a schedule in production environments. New vulnerability data is recorded as issues in the issue tracker with no need for manual verification (which is possible with technologies such as Proof-Based Scanning). The DAST scanner communicates in real time with the issue tracker and after the developer marks the issue as resolved, the scanner automatically retests the fix. This type of process requires only occasional interventions from the security team and allows developers to continue using their existing systems for bug tracking and new feature requests. In effect, manual work on vulnerability management is reduced to near zero.

Frequently asked questions

Written by: Tomasz Andrzej Nidecki, reviewed by: Zbigniew Banach