What is Vulnerability Management?

How are vulnerabilities uncovered?

To Identify vulnerabilities, use vulnerability scanning and management tools to examine applications for flaws in code and misconfigurations that cause security weaknesses.

Most vulnerabilities are categorized through the National Vulnerability Database (NVD) and given unique identifiers through the Common Vulnerabilities & Exposures (CVE) list. Some vulnerability scanning solutions may also identify vulnerabilities not found in the NVD.

How many vulnerabilities do organizations typically have?

Security vulnerability scans at large organizations can cumulatively identify thousands of security risks on each machine and millions of vulnerabilities across an organization. Research reveals that nearly all assets (95% of assets) enclose at least one highly exploitable vulnerability.   

How do teams remediate their vulnerabilities?

There are often more vulnerabilities than an organization has the capacity to fix. That's why prioritization of vulnerabilities is so important.

On average, companies can only remediate about one in 10 vulnerabilities on their systems. This capacity deficit puts enormous pressure on cybersecurity professionals to prioritize vulnerabilities based on which are most dangerous. However, research reveals that a mere 2% to 5% of vulnerabilities are at risk of exploitation, significantly narrowing the vulnerability management scope. 

How do teams decide which vulnerabilities to remediate? 

Traditionally, organizations have prioritized vulnerabilities according to a mix of instinct, regulatory and compliance needs, and the theoretical damage a successful attack could do. One common metric, the Common Vulnerability Scoring System (CVSS), scores vulnerabilities according to technical severity, or the damage it would do if exploited. But the truth is, many vulnerabilities with high CVSS scores pose little or no risk of exploitation.

In recent years, risk-based prioritization has become the gold standard for managing mounting cyber threats against finite resources. Leading vulnerability management software providers offer data-driven, predictive analytics based on real-world threat intelligence and business context to help define the organization’s riskiest vulnerabilities before exploitation occurs. 

What is the goal of vulnerability management? 

Organizations are striving to lower their risk profile by prioritizing and remediating the vulnerabilities that post the greatest risk. Effective and efficient risk management programs funnel appropriate remediation resources to the right vulnerabilities, saving teams time and money, with the lowest risk possible.