ELI5: What is Vulnerability Management?
Think of your house having a crack in a window, a loose lock, and a hole in the fence. Vulnerability management is like walking around your house regularly, writing down every weak spot, deciding which ones are most dangerous, and fixing them in order. You start with the broken lock on the front door because that is the easiest way for someone to get in. Then you keep checking because new cracks can appear anytime.
Overview
Vulnerability management is the continuous cycle of discovering, evaluating, treating, and reporting on security vulnerabilities across an organization’s assets. It goes beyond simple scanning to include risk-based prioritization and tracking remediation efforts. Effective vulnerability management reduces the attack surface and provides evidence of due diligence for compliance.
Key Concepts
- Vulnerability scanning: Automated tools (Nessus, Qualys, OpenVAS) that identify known weaknesses in systems and applications
- Credentialed vs. non-credentialed scans: Credentialed scans log into systems for deeper analysis; non-credentialed scans show the external attacker’s view
- CVSS (Common Vulnerability Scoring System): Standardized 0-10 scoring system for vulnerability severity
- CVE (Common Vulnerabilities and Exposures): Unique identifiers for publicly known vulnerabilities
- Risk-based prioritization: Considering exploit availability, asset criticality, and exposure when deciding remediation order
- Remediation vs. mitigation: Remediation fixes the vulnerability; mitigation reduces the risk without fully eliminating it
- Patch management: Applying vendor-supplied fixes; the most common remediation approach
- Scan scheduling: Regular scans (weekly, monthly) plus ad-hoc scans after major changes
- negatives: Validating scan results to avoid wasting resources or missing real vulnerabilities
- nmap: Network scanner for host discovery, port scanning, and service detection (
nmap -sV -O target) - sn1per: Automated pentest reconnaissance framework
- scanless: Command-line utility for performing port scans through third-party websites
Exam Tips
Remember
Vulnerability management lifecycle: Discover → Prioritize → Remediate → Verify → Report. CVSS scores: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9).
- Credentialed scans find more vulnerabilities but require maintained service accounts
- Not all vulnerabilities need immediate patching — prioritize by risk (exploitability + asset value + exposure)
- Know the difference between vulnerability scanning (automated) and penetration testing (manual exploitation)
Connections
- Feeds into risk-management by quantifying the organization’s technical risk posture
- Identifies vulnerability-types such as misconfigurations, missing patches, and default credentials
- Findings may trigger penetration-testing to validate exploitability of discovered vulnerabilities
- Remediation through hardening and patch management reduces the attack surface
Practice Questions
Q-Bank: Vulnerability Management (4 Questions)
Q1. A vulnerability scan identifies 500 vulnerabilities across the organization. The security team has limited resources and cannot remediate all findings immediately. Which approach BEST determines the remediation order?
A. Remediate all vulnerabilities alphabetically by CVE identifier B. Prioritize based on CVSS score, exploit availability, and asset criticality C. Remediate only vulnerabilities with a CVSS score of 10.0 D. Wait until the next quarterly scan to reassess all findings
Show Answer B. Prioritize based on CVSS score, exploit availability, and asset criticality
risk-based-prioritization considers multiple factors including vulnerability severity (CVSS score), whether a public exploit exists, and the criticality of the affected asset to determine remediation order. Option A has no security logic. Option C ignores high-severity vulnerabilities scored below 10.0 that may be actively exploited. Option D delays remediation unnecessarily, increasing exposure time.
Q2. A security team runs two vulnerability scans on the same server — one using administrative credentials and one without. The credentialed scan finds 40 more vulnerabilities than the non-credentialed scan. Why does the credentialed scan find more issues?
A. The credentialed scan uses a newer vulnerability database B. The credentialed scan can log into the system and inspect installed software, configurations, and patches from the inside C. The non-credentialed scan only checks for network-level vulnerabilities D. The credentialed scan runs faster and therefore covers more checks
Show Answer B. The credentialed scan can log into the system and inspect installed software, configurations, and patches from the inside
Credentialed scans authenticate to the target system for deeper inspection of installed software versions, configurations, and missing patches. Non-credentialed scans only see what is exposed externally. Option A is incorrect — both scans use the same database. Option C oversimplifies — non-credentialed scans check more than just network issues. Option D is incorrect — scan speed does not determine detection capability.
Q3. A vulnerability scanner flags a critical vulnerability on a legacy production system that cannot be patched because the vendor no longer supports the software. The system must remain operational. What is the BEST course of action?
A. Ignore the finding since patching is impossible B. Implement compensating controls such as network segmentation and enhanced monitoring to mitigate the risk C. Immediately decommission the system regardless of business impact D. Mark the vulnerability as a false positive in the scanner
Show Answer B. Implement compensating controls such as network segmentation and enhanced monitoring to mitigate the risk
When remediation (patching) is not possible, mitigation through compensating controls reduces the risk without eliminating the vulnerability. Network segmentation limits exposure and monitoring enables rapid detection. Option A accepts unmitigated risk, violating due diligence. Option C may not be feasible if the system supports critical operations. Option D misrepresents the finding and removes it from tracking.
Q4. After remediating a critical vulnerability by applying a vendor patch, what step should the security team take NEXT to verify the fix was effective?
A. Delete the vulnerability from the tracking database B. Run a follow-up vulnerability scan to confirm the vulnerability is no longer detected C. Assume the patch was successful since it was provided by the vendor D. Schedule the next scan for the following quarter
Show Answer B. Run a follow-up vulnerability scan to confirm the vulnerability is no longer detected
The vulnerability management lifecycle includes a verification step after remediation to confirm the fix was effective. Patches can fail to install, be rolled back, or not fully address the issue. Option A removes tracking without verification. Option C assumes success without evidence — patches can fail silently. Option D delays verification unnecessarily, leaving potential exposure unconfirmed.
Scenario
See case-vulnerability-management for a practical DevOps scenario applying these concepts.