FOSSA Logo
V
Security
Risk Management
DevSecOps

Vulnerability Management

The cyclical process of identifying, evaluating, treating, and reporting security vulnerabilities across an organization's software, systems, and networks.

What is Vulnerability Management?

Vulnerability management is the systematic, continuous process of identifying, assessing, prioritizing, remediating, and reporting security vulnerabilities across an organization's software, systems, and network infrastructure. It's a critical component of an overall cybersecurity strategy that aims to reduce the attack surface available to threat actors.

In the context of software supply chain security, vulnerability management focuses heavily on detecting and addressing security weaknesses in both in-house code and third-party dependencies, which typically constitute 70-90% of modern applications.

The Vulnerability Management Lifecycle

1. Discovery and Inventory

  • Establishing a comprehensive inventory of all software assets
  • Mapping dependencies and creating Software Bills of Materials (SBOMs)
  • Implementing continuous monitoring for new or changed components

2. Vulnerability Identification

  • Scanning code and dependencies for known vulnerabilities
  • Performing static and dynamic application security testing
  • Monitoring vulnerability databases and security advisories
  • Conducting penetration testing and security assessments

3. Assessment and Prioritization

  • Evaluating vulnerability severity using frameworks like CVSS
  • Considering business context and potential impact
  • Determining exploitability and threat intelligence context
  • Prioritizing vulnerabilities based on risk scoring

4. Remediation

  • Patching or updating vulnerable components
  • Implementing mitigating controls when immediate patching isn't possible
  • Developing and applying security fixes
  • Validating that remediations effectively address vulnerabilities

5. Verification and Reporting

  • Confirming that vulnerabilities have been properly remediated
  • Generating compliance and status reports
  • Analyzing trends and measuring program effectiveness
  • Communicating risks to stakeholders

Key Vulnerability Management Concepts

Common Vulnerability and Exposure (CVE)

The CVE system provides standardized identifiers for publicly known security vulnerabilities, facilitating information sharing across security tools and services.

Common Vulnerability Scoring System (CVSS)

CVSS provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity, helping organizations prioritize remediation efforts.

Vulnerability Databases

  • National Vulnerability Database (NVD) - U.S. government repository of vulnerability data
  • OSV (Open Source Vulnerabilities) - Database for open source vulnerabilities
  • GitHub Advisory Database - Collection of security advisories for packages
  • Private vulnerability databases - Commercial databases with enhanced data

Mean Time to Remediate (MTTR)

A metric that measures the average time between vulnerability identification and remediation, providing insight into the efficiency of the vulnerability management process.

Vulnerability Management in the Software Supply Chain

Dependency Vulnerabilities

Open source and third-party components frequently contain vulnerabilities. Software Composition Analysis (SCA) tools help identify vulnerable dependencies in the software supply chain.

Inherited Risk

Software inherits the security posture of its dependencies, making vulnerability management a transitive challenge that extends throughout the supply chain.

Shifting Left

Modern vulnerability management incorporates security earlier in the development lifecycle ("shifting left"), preventing vulnerabilities from reaching production.

DevSecOps Integration

Effective vulnerability management integrates security into development and operations workflows, automating security checks throughout the CI/CD pipeline.

Vulnerability Management Best Practices

  1. Establish Clear Ownership - Define who is responsible for addressing vulnerabilities in different components
  2. Risk-Based Approach - Focus remediation efforts on vulnerabilities posing the greatest risk
  3. Automate Scanning - Implement automated vulnerability scanning in development and CI/CD pipelines
  4. Continuous Monitoring - Move from periodic to continuous vulnerability identification
  5. Patch Management Program - Develop a structured approach to applying patches
  6. Dependency Updates - Regularly update dependencies to incorporate security fixes
  7. Security Metrics - Track metrics like vulnerability density, time to remediate, and patch coverage
  8. Component Inventory - Maintain accurate SBOM documentation for all applications
  9. Vulnerability Disclosure Policy - Establish a process for receiving and addressing vulnerability reports
  10. Defense in Depth - Implement additional security controls to mitigate the impact of unpatched vulnerabilities

Vulnerability Management Tools

  • Software Composition Analysis (SCA) - Snyk, FOSSA, WhiteSource, Black Duck
  • Static Application Security Testing (SAST) - SonarQube, Checkmarx, Fortify
  • Dynamic Application Security Testing (DAST) - OWASP ZAP, Burp Suite
  • Vulnerability Scanners - Nessus, Qualys, Nexpose
  • Container Security - Trivy, Clair, Anchore
  • Cloud Security Posture Management - Prisma Cloud, Wiz, Orca Security