A vulnerability management system continuously scans an environment against one or more databases of known vulnerabilities, with the objective of identifying vulnerable assets. Different types of vulnerability scanners might be deployed, depending on the stage of the product lifecycle and the type of environment (on-premises, cloud, or hybrid).
In development stages, it is most common to use white-box testing technologies like static application security testing (SAST), which examines source code for security issues. In testing and staging environments, it is common to perform black-box testing using tools like dynamic application security testing (DAST), which execute the application and test it while it is running.
In production, runtime protection technologies such as runtime application self protection (RASP) can identify vulnerabilities as they occur.
Related content: Read our guide to vulnerability scanning
In larger organizations, there might be thousands of managed assets with multiple vulnerabilities identified for each asset. It is usually not feasible to remediate all vulnerabilities, and it is also not necessary, because many vulnerabilities are not severe or not really exploitable by attackers.
To optimize remediation efforts, you should prioritize vulnerabilities based on the risk they pose to your organization. Vulnerability databases typically assign technical severity scores, and advanced vulnerability management solutions can fine-tune these scores to reflect the real business impact or actual chance of exploitation in specific managed assets.
The responsibility of a vulnerability management system does not end with identifying and prioritizing security flaws—it should also determine the ideal action to take to address these vulnerabilities. This can include applying patches, reconfiguring network settings, changing access control settings, and removing unused applications.
At this stage, IT and security teams must balance the need for quick resolution with the cost of a fix and its potential impact on system uptime and productivity. A vulnerability management system should provide a means to track which vulnerabilities have been addressed, which are still pending resolution, and which can be safely ignored.
Related content: Read our guide to vulnerability remediation
4. Verification and Reporting
Once a set of actions is identified, IT staff implement the fix, or in some cases, it is applied automatically by the vulnerability management system or other integrated systems. The vulnerability management system should then verify that the fix is implemented correctly and report if anything is left to fix.
In reality, many remediations are not easy to implement. Systems have complex interdependencies, and in some cases, the risk of interrupting mission-critical systems might outweigh the need for a security fix. Whatever the decision made by those responsible, there should be full visibility to IT and security leadership if any fixes are purposely delayed.
To support this visibility, a vulnerability management solution should include reporting capabilities to check the current status of systems and the progress of vulnerability fixes.