Building a Vulnerability Management Program

Vulnerability management is not a one-time scan — it is an ongoing program of discovering, prioritizing, remediating, and verifying vulnerabilities across your entire attack surface. New vulnerabilities are disclosed daily. The National Vulnerability Database (NVD) published over 25,000 CVEs in 2025 alone. Every software update, configuration change, or new service you deploy can introduce new vulnerabilities. A quarterly scan is not sufficient — threats evolve continuously, and your scanning must keep pace. Cyber Defense Agent provides continuous external vulnerability scanning of your internet-facing assets. Every scan checks for exposed services, outdated software, SSL/TLS misconfigurations, missing security headers, open ports, and known CVEs on public-facing systems. This external scanning is a critical component — but it is one piece of a comprehensive vulnerability management program. Compliance frameworks require vulnerability management: - PCI DSS v4.0: Requirement 11.3 mandates internal and external vulnerability scans at least quarterly. - NIST CSF: ID.RA (Risk Assessment) and PR.IP (Information Protection) address vulnerability management. - FTC Safeguards Rule: Requires periodic assessment of safeguards, including vulnerability identification. - HIPAA Security Rule: Risk analysis requirements include identifying vulnerabilities. - CIS Controls v8: Control 7 (Continuous Vulnerability Management) is a core control. - Cyber insurance: Carriers increasingly require evidence of vulnerability scanning programs.

A complete vulnerability management program uses multiple scan types: 1. External vulnerability scans What they scan: Internet-facing assets — websites, email servers, VPN gateways, APIs, DNS records, SSL certificates, and any publicly accessible service. Why they matter: These are the assets attackers see first. External scans identify what is exposed before attackers do. Cyber Defense Agent scans: CDA performs continuous external scanning, checking for exposed services, SSL/TLS configuration issues, missing security headers, DNS misconfigurations, email authentication (SPF, DKIM, DMARC), and known CVEs on public-facing systems. Results feed directly into your Cyber Defense Score. Frequency: Continuous (CDA) plus quarterly authenticated scans (PCI ASV if applicable). 2. Internal vulnerability scans What they scan: Internal network devices, servers, workstations, and applications — assets behind your firewall. Why they matter: Once an attacker gains initial access (via phishing or compromised credentials), they exploit internal vulnerabilities for lateral movement and privilege escalation. Tools: Nessus Essentials (free for up to 16 IPs), Qualys Community Edition, or OpenVAS. Frequency: Monthly for critical systems, quarterly for all internal assets. 3. Authenticated vs. unauthenticated scans Unauthenticated scans test what an external attacker can see. Authenticated scans log in to systems and identify vulnerabilities that require local access to detect — missing patches, misconfigurations, weak permissions. Authenticated scans find 10-20x more vulnerabilities than unauthenticated scans. 4. Web application scans If you have custom web applications, run dedicated web application scans (OWASP ZAP, Burp Suite) to identify SQL injection, cross-site scripting (XSS), authentication flaws, and other application-layer vulnerabilities. 5. Configuration scans Use CIS Benchmarks to audit system configurations against industry baselines. Tools like Microsoft Secure Score, CIS-CAT, or manual audits verify that systems are hardened according to best practices.

Discovering vulnerabilities is only half the job. Remediation is where security improvement actually happens. Prioritization framework: Not all vulnerabilities are equal. Prioritize based on: - CVSS score: The Common Vulnerability Scoring System provides a severity rating (0-10). Use this as a starting point, not the only factor. - Exploitability: Is there a known exploit in the wild? CISA's Known Exploited Vulnerabilities (KEV) catalog identifies actively exploited CVEs. - Asset criticality: A vulnerability on your public-facing web server is more urgent than the same vulnerability on an isolated test machine. - Exposure: External-facing vulnerabilities (detected by CDA) are higher priority than internal-only vulnerabilities. Remediation SLAs: Define maximum time-to-remediate based on severity: - Critical (CVSS 9.0-10.0): Remediate within 24-48 hours. These are emergency patches. - High (CVSS 7.0-8.9): Remediate within 7 days. - Medium (CVSS 4.0-6.9): Remediate within 30 days. - Low (CVSS 0.1-3.9): Remediate within 90 days. - Informational: Address during regular maintenance cycles. For any vulnerability listed in CISA's KEV catalog, override the SLA to 48 hours maximum regardless of CVSS score. Remediation workflow: 1. Discovery — Vulnerability identified by CDA scan, internal scan, or vendor advisory. 2. Triage — Assign severity, confirm the vulnerability is valid (not a false positive), and identify the asset owner. 3. Assignment — Route to the responsible team or individual with a clear SLA deadline. 4. Remediation — Apply the patch, update the configuration, or implement a compensating control. 5. Verification — Re-scan to confirm the vulnerability is resolved. CDA re-scans automatically. 6. Documentation — Record the vulnerability, remediation action, timeline, and verification result. Exception handling: Some vulnerabilities cannot be immediately remediated (legacy system, vendor dependency). Document these as accepted risks with compensating controls, executive sign-off, and a review date. Never leave exceptions undocumented.