Vulnerability management

{{Short^[1]^[2] description|Cycle of working with software vulnerabilities}}

Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities.^[3] Vulnerability management is integral to computer security and network security, and must not be confused with vulnerability assessment.^[4]

Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities,^[5] such as open ports, insecure software configurations, and susceptibility to malware infections. They may also be identified by consulting public sources, such as NVD, vendor specific security updates or subscribing to a commercial vulnerability alerting service. Unknown vulnerabilities, such as a zero-day,^[5] may be found with fuzz testing. Fuzzing is a cornerstone technique where random or semi-random input data is fed to programs to detect unexpected behavior. Tools such as AFL (American Fuzzy Lop) and libFuzzer automate this process, making it faster and more efficient. Fuzzy testing can identify certain kinds of vulnerabilities, such as a buffer overflow with relevant test cases. Similarly, static analysis tools analyze source code or binaries to identify potential vulnerabilities without executing the program. Symbolic execution, an advanced technique combining static and dynamic analysis, further aids in pinpointing vulnerabilities.^[6] Such analysis can be facilitated by test automation. In addition, antivirus software capable of heuristic analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file).

Correcting vulnerabilities may involve the installation of a patch, a change in network security policy, reconfiguration of software, or educating users about social engineering.

Project vulnerability management

Project vulnerability is the project's susceptibility to being subject to negative events, the analysis of their impact, and the project's capability to cope with negative events.^[7] Based on Systems Thinking, project systemic vulnerability management takes a holistic vision, and proposes the following process:

Project vulnerability identification
Vulnerability analysis
Vulnerability response planning
Vulnerability controlling – which includes implementation, monitoring, control, and lessons learned

Coping with negative events is done, in this model, through:

resistance – the static aspect, referring to the capacity to withstand instantaneous damage, and
resilience – the dynamic aspect, referring to the capacity to recover in time.

Redundancy is a specific method to increase resistance and resilience in vulnerability management.^[8]

Antifragility is a concept introduced by Nassim Nicholas Taleb to describe the capacity of systems to not only resist or recover from adverse events, but also to improve because of them. Antifragility is similar to the concept of positive complexity proposed by Stefan Morcov.

Regulatory requirements

Vulnerability management programs are increasingly driven by regulatory mandates that require organizations to identify, assess, and remediate security weaknesses in their information systems.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information under 45 CFR 164.308(a)(1)(ii)(A), and to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level under 45 CFR 164.308(a)(1)(ii)(B)."Security Standards: Administrative Safeguards". U.S. Department of Health and Human Services. Retrieved March 31, 2026. The December 2024 HIPAA Security Rule notice of proposed rulemaking (90 FR 898) would mandate vulnerability scanning at least every six months, penetration testing at least annually, and remediation of critical vulnerabilities within defined timelines."HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information". Federal Register. January 6, 2025. Retrieved March 31, 2026.

The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 Requirement 6.3 requires organizations to identify security vulnerabilities and protect system components through patching, while Requirement 11.3 mandates internal and external vulnerability scanning at least quarterly and after significant changes."PCI DSS v4.0". PCI Security Standards Council. March 2022. Retrieved March 31, 2026. The Cybersecurity and Infrastructure Security Agency (CISA) maintains the Known Exploited Vulnerabilities (KEV) catalog under Binding Operational Directive 22-01, requiring federal agencies to remediate listed vulnerabilities within specified timelines."BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities". Cybersecurity and Infrastructure Security Agency. November 3, 2021. Retrieved April 3, 2026.

References

^ Edemekong, Peter F.; Annamaraju, Parvathi; Haydel, MJ (2024). Health Insurance Portability and Accountability Act. StatPearls Publishing. Retrieved April 3, 2026. {{cite book}}: |work= ignored (help)
^ "HIPAA Security Rule Notice of Proposed Rulemaking – Fact Sheet". U.S. Department of Health and Human Services. Retrieved April 3, 2026.
^ Foreman, Park (2010). Vulnerability management. Boca Raton: CRC Press. p. 1. ISBN 978-1-4398-0151-2. OCLC 444700438.
^ Walkowski, Michał; Oko, Jacek; Sujecki, Sławomir (19 September 2021). "Vulnerability Management Models Using a Common Vulnerability Scoring System". Applied Sciences. 11 (18): 8735. doi:10.3390/app11188735.
^ ^a ^b Anna-Maija Juuso and Ari Takanen Unknown Vulnerability Management, Codenomicon whitepaper, October 2010 [1] Archived 2011-02-27 at the Wayback Machine.
^ Nabel Zaharudin, Muhammad; Haziq Zuhaimi, Muhammad; Hossain Shezan, Faysal (19 May 2024), "Poster: Enhancing Symbolic Execution with LLMs for Vulnerability Detection" (PDF), IEEE Symposium on Security and Privacy, retrieved 2024-11-27
^ Marle, Franck; Vidal, Ludovic-Alexandre (2016). Managing Complex, High Risk Projects. London: Springer London. p. ^{[page needed]}. doi:10.1007/978-1-4471-6787-7. ISBN 978-1-4471-6785-3. OCLC 934201504.
^ Nassim N. Taleb, Daniel G. Goldstein (2009-10-01). "The Six Mistakes Executives Make in Risk Management". Harvard Business Review. ISSN 0017-8012. Retrieved 2021-12-13.

External links

Implementing a Vulnerability Management Process SANS Institute.

Notes

This article is a direct transclusion of the Wikipedia article and therefore may not meet the same editing standards as LIMSwiki.

[StatPearls-HIPAA-1] Edemekong, Peter F.; Annamaraju, Parvathi; Haydel, MJ (2024). Health Insurance Portability and Accountability Act. StatPearls Publishing. Retrieved April 3, 2026. {{cite book}}: |work= ignored (help)

[HHS-NPRM-factsheet-2] "HIPAA Security Rule Notice of Proposed Rulemaking – Fact Sheet". U.S. Department of Health and Human Services. Retrieved April 3, 2026.

[Foreman_2010_p._1-3] Foreman, Park (2010). Vulnerability management. Boca Raton: CRC Press. p. 1. ISBN 978-1-4398-0151-2. OCLC 444700438.

[4] Walkowski, Michał; Oko, Jacek; Sujecki, Sławomir (19 September 2021). "Vulnerability Management Models Using a Common Vulnerability Scoring System". Applied Sciences. 11 (18): 8735. doi:10.3390/app11188735.

[Codenomicon-5] Anna-Maija Juuso and Ari Takanen Unknown Vulnerability Management, Codenomicon whitepaper, October 2010 [1] Archived 2011-02-27 at the Wayback Machine.

[6] Nabel Zaharudin, Muhammad; Haziq Zuhaimi, Muhammad; Hossain Shezan, Faysal (19 May 2024), "Poster: Enhancing Symbolic Execution with LLMs for Vulnerability Detection" (PDF), IEEE Symposium on Security and Privacy, retrieved 2024-11-27

[Marle_Vidal_2016_p.-7] Marle, Franck; Vidal, Ludovic-Alexandre (2016). Managing Complex, High Risk Projects. London: Springer London. p. ^{[page needed]}. doi:10.1007/978-1-4471-6787-7. ISBN 978-1-4471-6785-3. OCLC 934201504.

[8] Nassim N. Taleb, Daniel G. Goldstein (2009-10-01). "The Six Mistakes Executives Make in Risk Management". Harvard Business Review. ISSN 0017-8012. Retrieved 2021-12-13.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

v t e Information security
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Bombs Fork Logic Time Zip Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Fraudulent dialers Hacktivism Infostealer Insecure direct object reference Keystroke loggers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie	vectorial version
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Software obfuscation Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Information security management Information risk management Security information and event management (SIEM) Runtime application self-protection Site isolation
Related security topics	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electronic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management

Vulnerability management

Project vulnerability management

Regulatory requirements

See also

References

External links

Notes

Navigation menu

Page actions

Page actions

Personal tools

Navigation

Search

Tools

Popular publications

Print/export