close
Jump to content

Vulnerability management

From Wikipedia, the free encyclopedia

Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities,[1] which is part of computer security and network security. It is a form of vulnerability assessment.

Process

[edit source]

Identification

[edit source]

Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities,[2] such as open ports, insecure software configurations, and susceptibility to malware infections. They may also be identified by consulting public sources, such as NVD, vendor specific security updates or subscribing to a commercial vulnerability alerting service.

Unknown vulnerabilities, such as a zero-day,[2] may be found with fuzz testing. Fuzzing is a cornerstone technique where random or semi-random input data is fed to programs to detect unexpected behavior. Tools such as AFL (American Fuzzy Lop) and libFuzzer automate this process, making it faster and more efficient. Fuzzy testing can identify certain kinds of vulnerabilities, such as a buffer overflow with relevant test cases.

Similarly, static analysis tools analyze source code or binaries to identify potential vulnerabilities without executing the program. Symbolic execution, an advanced technique combining static and dynamic analysis, further aids in pinpointing vulnerabilities.[3] Such analysis can be facilitated by test automation. In addition, antivirus software capable of heuristic analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file).

Classification and prioritization

[edit source]

Additionally, for vulnerability management, organizations use SCA/SBOM tools for third-party component checks, asset inventory systems, SIEM/SOAR, and risk prioritization platforms. Data sources include CVE for identifying publicly disclosed vulnerabilities, NVD and CVSS for technical severity scoring,[4] CWE for classifying weakness types, OWASP Top 10 for web risks, CISA KEV for actively exploited vulnerabilities, and EPSS for predicting the probability of a CVE being exploited within the next 30 days.[5][6][7]

Remediation and mitigation

[edit source]

Correcting vulnerabilities may involve the installation of a patch, a change in network security policy, reconfiguration of software, or educating users about social engineering.

See also

[edit source]

References

[edit source]
  1. Foreman, Park (2010). Vulnerability management. Boca Raton: CRC Press. p. 1. ISBN 978-1-4398-0151-2. OCLC 444700438.
  2. 1 2 Anna-Maija Juuso and Ari Takanen Unknown Vulnerability Management, Codenomicon whitepaper, October 2010 Archived 2011-02-27 at the Wayback Machine.
  3. Nabel Zaharudin, Muhammad; Haziq Zuhaimi, Muhammad; Hossain Shezan, Faysal (19 May 2024), "Poster: Enhancing Symbolic Execution with LLMs for Vulnerability Detection" (PDF), IEEE Symposium on Security and Privacy, retrieved 2024-11-27
  4. Walkowski, Michał; Oko, Jacek; Sujecki, Sławomir (19 September 2021). "Vulnerability Management Models Using a Common Vulnerability Scoring System". Applied Sciences. 11 (18): 8735. doi:10.3390/app11188735.
  5. "NVD - Vulnerability Metrics". nvd.nist.gov. Retrieved 2026-05-31.
  6. "Known Exploited Vulnerabilities Catalog | CISA". www.cisa.gov. Retrieved 2026-05-31.
  7. "Advisory on Software Bill of Materials and Real-time Vulnerability Monitoring for Open-Source Software and Third-Party Dependencies | OWASP Foundation". owasp.org. Retrieved 2026-05-31.
[edit source]