Practice : Vulnerability Management

Purpose and Strategic Importance

Vulnerability Management is the continuous process of identifying, assessing, prioritising, and remediating security flaws across code, infrastructure, and dependencies. It protects your systems, customers, and reputation by reducing exploitable risk before attackers can take advantage.

This practice ensures vulnerabilities are surfaced early and addressed promptly—embedding security into the flow of software delivery and enabling teams to ship fast without sacrificing safety.

Description of the Practice

  • Vulnerability management includes scanning for flaws in source code, third-party libraries, containers, infrastructure, and configurations.
  • Sources include SAST, DAST, Software Composition Analysis (SCA), IaC scanning, and manual disclosures.
  • Issues are triaged by severity, exploitability, and asset criticality, then routed to appropriate teams.
  • Remediation may include patching, configuration changes, code fixes, or compensating controls.
  • The full lifecycle is tracked, reported, and reviewed as part of security posture monitoring.

How to Practise It (Playbook)

1. Getting Started

  • Enable scanners for application code (SAST), dependencies (SCA), and infrastructure (IaC/containers).
  • Establish a single source of truth (e.g. security dashboard or backlog) for all detected vulnerabilities.
  • Define and publish severity levels (e.g. Critical, High, Medium, Low) and remediation SLAs.
  • Prioritise fixes based on business impact, exploitability, and exposure.

2. Scaling and Maturing

  • Automate vulnerability triage and ticket creation in your backlog or incident system.
  • Integrate scanners into CI/CD pipelines and developer IDEs.
  • Track time-to-remediate and SLA compliance across teams.
  • Regularly review trends and risk posture with engineering and security leadership.
  • Implement developer education to reduce introduction of common vulnerabilities.

3. Team Behaviours to Encourage

  • View vulnerabilities as shared technical debt, not security’s problem alone.
  • Address root causes—not just the symptom (e.g. unsafe coding practices).
  • Collaborate with security engineers to validate fixes and prevent recurrence.
  • Include vulnerability remediation as a regular part of sprint planning and delivery metrics.

4. Watch Out For…

  • Alert fatigue or backlog bloat—focus on what truly matters.
  • Accepting unverified risk exceptions without formal tracking.
  • Over-reliance on tools without human triage or validation.
  • Slow remediation leading to unnecessary exposure and compliance risk.

5. Signals of Success

  • Most vulnerabilities are found and fixed well before release or exploitation.
  • Teams meet remediation SLAs for high and critical issues.
  • Vulnerability volumes decline over time as practices improve.
  • Developers have the knowledge and tools to write secure code by default.
  • Security posture is transparent, measurable, and continuously improving.