Chapter 29: Vulnerability Management¶
Overview¶
Vulnerability management is the continuous process of identifying, assessing, prioritizing, remediating, and validating security weaknesses across an organization's entire attack surface. In 2023, over 29,000 new CVEs were published — an average of 80 per day. No organization can patch everything. Effective vulnerability management is about smart prioritization using CVSS, EPSS, threat intelligence, and asset criticality — focusing finite patching resources on vulnerabilities actively exploited in the wild. This chapter covers scanning methodology, risk-based prioritization, VM program design, patch management, and emerging cloud/container/API vulnerability management.
Learning Objectives¶
By the end of this chapter, students SHALL be able to:
- Design and operate a continuous vulnerability management program
- Use CVSS, EPSS, and threat intelligence to prioritize remediation
- Configure and interpret results from Nessus, Qualys, and open-source scanners
- Integrate VM into CI/CD pipelines for shift-left security
- Report vulnerability risk to executive leadership meaningfully
- Manage vulnerabilities across cloud, containers, and code repositories
Prerequisites¶
- Basic understanding of TCP/IP networking and common services
- Familiarity with CVSS scoring
- Basic Linux and Windows system administration
Why This Matters
Log4Shell (CVE-2021-44228) was disclosed December 9, 2021. Within 72 hours, attackers had weaponized it to compromise hundreds of thousands of systems. Organizations that patched within 7 days had dramatically lower breach rates than those that waited weeks. CISA's Known Exploited Vulnerabilities (KEV) catalog shows 1,000+ CVEs that threat actors are actively exploiting today — most are old vulnerabilities on unpatched systems. Vulnerability management is fundamentally a race between defenders patching and attackers exploiting.
29.1 Vulnerability Management Program Framework¶
flowchart LR
A[1. DISCOVER\nAsset Inventory] --> B[2. ASSESS\nVulnerability Scanning]
B --> C[3. PRIORITIZE\nRisk Scoring]
C --> D[4. REMEDIATE\nPatch/Mitigate/Accept]
D --> E[5. VERIFY\nRescan + Validate]
E --> F[6. REPORT\nMetrics + Trends]
F --> A
style C fill:#e63946,color:#fff
style D fill:#1d3557,color:#fff29.2 Asset Discovery and Inventory¶
A vulnerability management program is only as good as its asset inventory. Unknown assets cannot be scanned.
29.2.1 Asset Discovery Methods¶
# Nmap — network discovery
nmap -sn 10.0.0.0/8 -oX discovery.xml # Ping sweep of entire network
nmap -p 22,80,443,3389,8080,8443 10.0.0.0/8 --open # Common service ports
# Passive network discovery (no noise)
# netdisco — Layer 2/3 network discovery
# Rumble (now runZero) — passive + active discovery
# Cloud asset discovery
# AWS: aws resourcegroupstaggingapi get-resources --region us-east-1
# Azure: az resource list --output table
# GCP: gcloud asset search-all-resources
# CMDB integration
# ServiceNow, Tanium, Axonius — asset management platforms
# Automated discovery feeds CMDB; CMDB feeds VM scanners
# Shodan for external footprint
shodan search org:"TargetCorp" --fields ip_str,port,product,hostname
29.3 Vulnerability Scanning¶
29.3.1 Scan Types¶
| Scan Type | Mechanism | Coverage | Use Case |
|---|---|---|---|
| Unauthenticated | Network service banners | External/limited | External attack surface |
| Authenticated | Credentials for deep inspection | Full | Internal comprehensive |
| Agent-based | Local agent on endpoint | Full + offline | Laptops, remote workers |
| Cloud configuration | API-based configuration review | Cloud misconfigs | AWS/Azure/GCP posture |
| Container image | Layer-by-layer image scan | Application dependencies | CI/CD pipeline |
| Web application | DAST/SAST | Application vulnerabilities | Web apps and APIs |
29.3.2 Nessus Configuration¶
# Nessus Professional — industry standard vulnerability scanner
# Create credentialed scan (Windows)
Nessus → New Scan → Advanced Scan
Credentials Tab:
Add → Windows → SMB
Username: domain\nessus-scanner
Password: [service account password]
# Service account needs local admin on Windows targets for deep inspection
# Credential-based Linux scan
Add → SSH
Auth method: Public Key
Username: nessus
Private key: [path to key file]
# Scan policy settings for comprehensive assessment
Discovery → Ping Methods: TCP/UDP/ICMP
Assessment → Scan Type: Combined
Assessment → Accuracy: Thorough
Advanced → Consider unscanned ports as closed: true
# Schedule and scope
Schedule: Weekly for internal; daily for critical systems
Targets: Define by asset group (Servers, Workstations, Network, Cloud)
# Export findings
# File → Export → Nessus format (for import into Defect Dojo)
# File → Export → CSV (for spreadsheet analysis)
29.3.3 OpenVAS / Greenbone¶
# OpenVAS — open source vulnerability scanner
# Docker deployment
docker run -d -p 9390:9390 -p 9392:9392 greenbone/openvas
# CLI scan via gvm-cli
gvm-cli socket --gmp-username admin --gmp-password password \
--xml "<create_task>
<name>Weekly Internal Scan</name>
<target id='TARGET_UUID'/>
<config id='CONFIG_UUID'/>
</create_task>"
# Run task
gvm-cli socket --xml "<start_task task_id='TASK_UUID'/>"
29.4 Risk-Based Prioritization¶
29.4.1 CVSS — The Foundation¶
CVSS (Common Vulnerability Scoring System) v3.1 provides a 0-10 base score:
CVSS METRIC GROUPS:
Base Score (Intrinsic):
├── Attack Vector (AV): Network / Adjacent / Local / Physical
├── Attack Complexity (AC): Low / High
├── Privileges Required (PR): None / Low / High
├── User Interaction (UI): None / Required
├── Scope (S): Unchanged / Changed
├── Confidentiality Impact (C): None / Low / High
├── Integrity Impact (I): None / Low / High
└── Availability Impact (A): None / Low / High
Temporal Score (changes over time):
├── Exploit Code Maturity: Unproven / PoC / Functional / High
├── Remediation Level: Unavailable / Workaround / Temporary Fix / Official Fix
└── Report Confidence: Unknown / Reasonable / Confirmed
Environmental Score (organization-specific):
└── Asset criticality adjustments
29.4.2 EPSS — Exploit Prediction Scoring System¶
CVSS tells you how bad a vulnerability is; EPSS tells you how likely it is to be exploited in the wild in the next 30 days.
import requests
def get_epss_score(cve_id: str) -> dict:
"""Fetch EPSS probability for a CVE from first.org API"""
response = requests.get(
f"https://api.first.org/data/v1/epss?cve={cve_id}",
timeout=10
)
data = response.json()
if data["data"]:
return {
"cve": cve_id,
"epss_score": float(data["data"][0]["epss"]),
"percentile": float(data["data"][0]["percentile"]),
"model_version": data["data"][0]["model_version"]
}
return {"cve": cve_id, "epss_score": 0.0}
# CVE-2021-44228 (Log4Shell) EPSS
log4shell = get_epss_score("CVE-2021-44228")
# Returns: epss_score ~0.97 (97% probability of exploitation in next 30 days)
# This is top 99th percentile — prioritize immediately
29.4.3 CISA KEV Catalog¶
The CISA Known Exploited Vulnerabilities (KEV) Catalog is the single most authoritative source on which vulnerabilities are actively being exploited.
# Download and parse CISA KEV catalog
curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
| python3 -c "
import sys, json
kev = json.load(sys.stdin)
print(f'Total KEV entries: {len(kev[\"vulnerabilities\"])}')
# Find KEVs added in last 7 days
from datetime import datetime, timedelta
week_ago = datetime.now() - timedelta(days=7)
recent = [v for v in kev['vulnerabilities']
if datetime.strptime(v['dateAdded'], '%Y-%m-%d') > week_ago]
print(f'Added last 7 days: {len(recent)}')
for v in recent:
print(f'{v[\"cveID\"]} - {v[\"vendorProject\"]} - {v[\"product\"]} - Due: {v[\"dueDate\"]}')
"
29.4.4 Risk-Based Prioritization Formula¶
def calculate_vuln_priority(vuln: dict, asset: dict) -> float:
"""
Combined risk score for remediation prioritization.
Returns 0-100 score (higher = remediate first).
"""
cvss = vuln["cvss_v3_base"] # 0-10
epss = vuln["epss_score"] # 0-1
in_kev = vuln["in_cisa_kev"] # True/False
asset_criticality = asset["criticality"] # 1-5 (5=most critical)
is_externally_facing = asset["internet_facing"]
# Base risk
score = cvss * 10 # 0-100
# EPSS multiplier (high exploitation probability = higher priority)
score *= (1 + epss) # 1.0-2.0x multiplier
# CISA KEV — immediately remediate if in KEV
if in_kev:
score = max(score, 90) # Minimum 90 if in KEV
# Asset criticality multiplier
score *= (asset_criticality / 5) * 1.5 + 0.7 # 0.7-2.2x based on criticality
# External exposure multiplier
if is_externally_facing:
score *= 1.5
return min(score, 100)
29.5 Remediation Management¶
29.5.1 SLA Targets by Risk Level¶
| Severity | CVSS Range | External-Facing | Internal Critical | Internal Standard |
|---|---|---|---|---|
| Critical | 9.0–10.0 | 24 hours | 72 hours | 7 days |
| High | 7.0–8.9 | 72 hours | 7 days | 30 days |
| Medium | 4.0–6.9 | 7 days | 30 days | 90 days |
| Low | 0.1–3.9 | 30 days | 90 days | 180 days |
CISA KEV special case: CISA-mandated agencies must remediate KEV vulnerabilities within the dueDate specified in the catalog (typically 2 weeks for recent additions).
29.5.2 Exception and Risk Acceptance Process¶
Not all vulnerabilities can be patched immediately. A formal exception process is required:
Vulnerability Exception Request:
CVE: CVE-2024-12345
System: prod-db-01.corp.local
CVSS: 8.7 (High)
Reason for Exception: Vendor has not released patch; applying mitigating control instead
Mitigating Control: Firewall rule restricting access to database port from authorized hosts only
Risk Owner: Database Team Lead (signature required)
Security Approval: CISO or Delegate (signature required)
Review Date: 90 days (or when vendor patch available)
Residual Risk: Accepted by Risk Owner
# Exceptions SHALL NOT exceed:
# - 90 days for High severity
# - 30 days for Critical severity
# - Renewal requires fresh risk assessment
29.6 Shift-Left — Vulnerability Management in CI/CD¶
29.6.1 SAST, DAST, SCA in the Pipeline¶
# GitHub Actions — integrated security pipeline
name: Security Scanning Pipeline
on: [push, pull_request]
jobs:
sast:
name: Static Analysis (SAST)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Semgrep SAST
uses: semgrep/semgrep-action@v1
with:
config: "p/owasp-top-ten p/java p/nodejs-security"
auditOn: push
sca:
name: Software Composition Analysis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy dependency scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
severity: 'HIGH,CRITICAL'
exit-code: '1' # Fail pipeline on High/Critical
container:
name: Container Image Scan
runs-on: ubuntu-latest
steps:
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Scan image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'myapp:${{ github.sha }}'
severity: 'HIGH,CRITICAL'
exit-code: '1'
dast:
name: Dynamic Analysis (DAST)
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' # Only on main branch
steps:
- name: Run OWASP ZAP DAST
uses: zaproxy/action-baseline@v0.11.0
with:
target: 'https://staging.example.com'
fail_action: true
cmd_options: '-a'
29.7 Vulnerability Management Tools¶
| Tool | Type | Strength | License |
|---|---|---|---|
| Tenable Nessus / Tenable.io | Comprehensive scanner | Industry standard; widest plugin library | Commercial |
| Qualys VMDR | Cloud-based VM | Continuous monitoring; cloud-native | Commercial |
| Rapid7 InsightVM | VM + remediation workflow | Integration with ticketing; live dashboard | Commercial |
| OpenVAS / Greenbone | Open source scanner | Free; community plugins | Open source |
| Nuclei | Template-based scanner | Speed; community templates | Open source |
| DefectDojo | Vulnerability management | Aggregates scanner results; deduplication | Open source |
| Snyk | Code/container/IaC | Developer-friendly; IDE integration | Freemium |
| OWASP ZAP | Web application DAST | API scanning; CI/CD integration | Open source |
| Semgrep | SAST | High accuracy; extensive rules | Freemium |
29.8 Metrics and Reporting¶
29.8.1 VM Program KPIs¶
vm_metrics = {
"period": "2026-Q1",
"total_vulnerabilities": {
"critical": 142,
"high": 847,
"medium": 4821,
"low": 12904
},
"remediation_sla_compliance": {
"critical_within_72h_pct": 89, # Target: >95%
"high_within_7d_pct": 74, # Target: >90%
"cisa_kev_within_due_date_pct": 97 # Target: 100%
},
"coverage": {
"assets_scanned_pct": 96, # Target: >99%
"authenticated_scan_pct": 82, # Target: >90%
"mean_days_since_last_scan": 4.2 # Target: <7
},
"trends": {
"critical_open_delta": -23, # vs prior quarter (negative = improvement)
"mean_remediation_time_days": 4.7, # vs 6.2 prior quarter
"new_cves_added_kev_this_quarter": 89
}
}
29.9 Benchmark Controls¶
| Control ID | Title | Requirement |
|---|---|---|
| Nexus SecOps-VM-01 | Asset Inventory | Comprehensive, continuously updated inventory of all systems |
| Nexus SecOps-VM-02 | Scanning Coverage | Authenticated scanning of 99%+ assets within 7-day cycle |
| Nexus SecOps-VM-03 | Risk-Based Prioritization | CVSS + EPSS + KEV combined scoring for remediation priority |
| Nexus SecOps-VM-04 | Remediation SLAs | Documented SLAs; >95% of Critical remediated within 72 hours |
| Nexus SecOps-VM-05 | Shift-Left Integration | SAST/SCA/container scanning in CI/CD pipeline; critical blocks deploy |
| Nexus SecOps-VM-06 | Exception Management | Formal exception process with risk owner approval and 90-day max |
Exam Prep & Certifications¶
Relevant Certifications
The topics in this chapter align with the following certifications:
- GIAC GEVA — Domains: Vulnerability Assessment, Risk-Based Prioritization
- CompTIA CySA+ — Domains: Vulnerability Management, Security Operations
Key Terms¶
CVSS (Common Vulnerability Scoring System) — An open framework for communicating the characteristics and severity of software vulnerabilities, producing scores from 0-10.
EPSS (Exploit Prediction Scoring System) — A machine learning model that predicts the probability a given CVE will be exploited in the wild within the next 30 days.
KEV (Known Exploited Vulnerabilities) — CISA's catalog of CVEs confirmed to have been exploited by threat actors, with mandatory remediation deadlines for US federal agencies.
SCA (Software Composition Analysis) — Scanning open source dependencies in application code for known vulnerabilities, license compliance issues, and outdated libraries.
SAST (Static Application Security Testing) — Analyzing source code without executing it to identify security vulnerabilities, insecure coding patterns, and potential defects.
DAST (Dynamic Application Security Testing) — Testing a running application by sending crafted inputs to discover runtime vulnerabilities including injection flaws, authentication issues, and configuration errors.