Vulnerability Management

The Vulnerability Management Lifecycle

Vulnerability management is a continuous process: discover, classify, prioritize, remediate, and verify. It is not a quarterly checkbox exercise.

Scanning Infrastructure

Deploy scanners across your environment:

scan-schedule.yaml

scanners:

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- type: network

tool: nessus

target: 10.0.0.0/8

schedule: daily

port_range: 1-65535

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- type: webapp

tool: burp-suite

target: "https://*.example.com"

schedule: weekly

auth_session: required

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- type: container

tool: trivy

target: "registry.example.com/*"

schedule: on-push

CVSS and EPSS Prioritization

CVSS (Common Vulnerability Scoring System) measures severity. EPSS (Exploit Prediction Scoring System) measures likelihood of exploitation.

import requests

class VulnerabilityPrioritizer:

def init(self):

self.epss_api = "https://api.first.org/epss/v1"

def prioritize(self, vulnerabilities):

scored = []

for vuln in vulnerabilities:

cvss = vuln.get("cvss_score", 0)

Get EPSS score

epss = self.get_epss(vuln["cve_id"])

Combined priority score

priority = (cvss * 0.4) + (epss * 0.6)

scored.append({

"cve": vuln["cve_id"],

"cvss": cvss,

"epss": epss,

"priority": priority,

"has_exploit": vuln.get("exploit_available", False)

})

return sorted(scored, key=lambda x: x["priority"], reverse=True)

def get_epss(self, cve_id):

resp = requests.get(f"{self.epss_api}/epss?cve={cve_id}")

data = resp.json()

return float(data["data"][0]["epss"]) if data.get("data") else 0.0

Remediation SLAs

Define SLAs based on risk:

| Severity | Remediation SLA | Verification | |----------|----------------|--------------| | Critical | 24 hours | Re-scan required | | High | 7 days | Patch confirmation | | Medium | 30 days | Ticket closure | | Low | 90 days | Exception review |

Automated Remediation Workflows

from datetime import datetime, timedelta

import smtplib

def process_vulnerability(vuln):

sla_map = {

"critical": timedelta(hours=24),

"high": timedelta(days=7),

"medium": timedelta(days=30),

"low": timedelta(days=90)

}

severity = get_severity(vuln["cvss_score"])

deadline = datetime.utcnow() + sla_map[severity]

Assign to team

ticket = create_ticket(

title=f"Remediate {vuln['cve_id']}",

assignee=get_owner(vuln["asset"]),

deadline=deadline,

severity=severity

)

Escalate if approaching deadline

if datetime.utcnow() > deadline - timedelta(hours=4):

if severity in ["critical", "high"]:

escalate_to_manager(ticket)

Reporting and Metrics

Track key performance indicators:

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\-- Mean time to remediate

SELECT severity,

AVG(EXTRACT(EPOCH FROM (resolved_at - detected_at)) / 3600) as avg_hours

FROM vulnerabilities

WHERE detected_at > NOW() - INTERVAL '90 days'

GROUP BY severity

ORDER BY severity;

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\-- Vulnerability backlog

SELECT COUNT(*) as open_count,

severity,

CURRENT_DATE - MAX(detected_at::date) as oldest_days

FROM vulnerabilities

WHERE status = 'open'

GROUP BY severity;

Conclusion

Modern vulnerability management requires continuous scanning, risk-based prioritization using CVSS and EPSS, and enforceable SLAs. Automate where possible but maintain human oversight for critical findings. Measure your mean time to remediate and drive it down over time.