🔍 Vulnerability Management
End-to-end vulnerability lifecycle — scanning, assessment, risk-based prioritization, patching, and continuous monitoring across infrastructure and applications.
Overview
Vulnerability Management is the ongoing process of identifying, evaluating, remediating, and reporting on security vulnerabilities across an organization's systems and software. A mature program uses risk-based prioritization (CVSS, EPSS, asset criticality) to focus resources on the most impactful vulnerabilities. Key tools include Qualys, Nessus, Rapid7, and Tenable.
Key Concepts
Vulnerability Scanning
Automated discovery of known vulnerabilities using authenticated and unauthenticated scans across networks, hosts, web apps, and containers.
CVSS Scoring
Common Vulnerability Scoring System — industry-standard for rating vulnerability severity (Base, Temporal, Environmental scores from 0.0 to 10.0).
EPSS (Exploit Prediction)
Exploit Prediction Scoring System — probabilistic model predicting the likelihood a vulnerability will be exploited in the wild within 30 days.
Patch Management
Systematic processes for testing, approving, and deploying security patches. Includes emergency patching procedures for critical zero-days.
Risk-Based Prioritization
Combining CVSS, EPSS, asset criticality, exploit availability, and business context to prioritize remediation efforts effectively.
SBOM
Software Bill of Materials — inventory of all components in software. Critical for identifying affected systems when new CVEs are disclosed.
Vulnerability Management Lifecycle
Vulnerability Management Lifecycle
Continuous cycle from discovery to remediation to monitoring
Interview Preparation
How do you prioritize vulnerabilities for remediation?
Use risk-based prioritization combining: 1) CVSS base score for technical severity, 2) EPSS for exploit probability, 3) Asset criticality and business context, 4) Exploit availability (Metasploit modules, PoC code, active exploitation), 5) Exposure (internet-facing vs. internal), 6) Compensating controls. A CVSS 7.0 vulnerability on an internet-facing payment server with a known exploit ranks higher than a CVSS 9.8 on an isolated test server.
What KPIs would you track for a vulnerability management program?
Key KPIs: 1) Mean Time to Remediate (MTTR) by severity, 2) Vulnerability density per asset, 3) Scan coverage percentage, 4) SLA compliance rates for patching, 5) Recurrence rate (vulnerabilities re-introduced), 6) Risk reduction over time, 7) Number of critical/high vulnerabilities open beyond SLA. Track trends monthly and report to leadership.
Framework Mapping
| Framework | Relevant Controls |
|---|---|
| NIST | SP 800-53 RA-5 (Vulnerability Monitoring), SI-2 (Flaw Remediation), CM-8 (Component Inventory) |
| OWASP | Vulnerability Disclosure, Dependency Check, Dependency Track |
| MITRE | T1190 (Exploit Public-Facing App), T1068 (Exploitation for Privilege Escalation) |