Vulnerability Management Program

A well-structured vulnerability management program is a fundamental element of any mature cybersecurity initiative. It provides a systematic way to identify, prioritize, and remediate security vulnerabilities across an organization’s systems, applications, and infrastructure. Beyond that, it enables teams to quantify and manage risk more effectively, aligning security efforts with business priorities.

One of the first and most important decisions when establishing such a program is selecting the right set of tools. These tools must not only meet current technical needs but also be flexible enough to grow with the organization. Solutions that are easy to extend, customize, and integrate with other systems tend to deliver more long-term value. Choosing tools based solely on features, without considering interoperability, can limit the program’s effectiveness and adaptability over time.

To ensure compatibility and streamline integration, it's important to consider tools and platforms that support established industry standards for vulnerability reporting. Two notable formats are SARIF, commonly used for static analysis results, and OSV, a format tailored for open source vulnerabilities. The ability to import and process data in these formats is a valuable capability that fosters consistency and simplifies automation.

While many enterprise-grade platforms offer a range of scanning capabilities, such as Static Application Security Testing (SAST) and Software Composition Analysis (SCA), they often suffer from limited integration options. Relying on a single, vendor-locked solution may restrict flexibility and prevent teams from leveraging the best tools available in specific areas. A more effective approach is to combine multiple specialized tools, selecting each based on its strengths and ensuring they can work together.

The success of a vulnerability management program is ultimately measured by its impact. This includes the ability to track and report meaningful metrics such as the number of vulnerabilities identified over time, average time to resolution, and reduction in overall risk exposure. Dashboards and reports play a critical role in communicating this progress to technical teams and executive leadership alike, helping to secure ongoing investment and support.

Outcome

• Establish a platform and process that enables multiple tools to contribute vulnerability data from their scans.
• Ensure SAST, SCA, DAST, and Secrets scanners are integrated into the CI pipeline and actively send findings to the platform.
• Implement metrics and dashboards to track vulnerability statistics and remediation progress.
• Enable filtering and prioritization of vulnerabilities based on severity and urgency.
• Assign ownership to each vulnerability, ensuring accountability for remediation.
• Prioritize vulnerabilities according to system criticality.
• Ensure vulnerabilities are being addressed within the defined OLA.
• Apply proper access controls to provide visibility based on project or team.
• Set up automated reports and recurring notifications to vulnerability owners.
• Enforce blocking of deployments or merges when vulnerabilities violate the defined SLA.
• Provide the ability to extend the OLA or bypass enforcement in case of emergencies.
• Calculate a risk score for each project or product based on current findings.
• Allow for risk acceptance of certain vulnerabilities, with a defined process to revisit and reassess accepted risks periodically.

Metrics

• Total vulnerabilities
• Total open vulnerabilities
• Total Vulnerabilities by scan type
• Open/Resolved Burndown
• Total vulnerabilities by severity
• Number of vulnerabilities per project
• Projects with more vulnerabilities
• Vulnerabilities exceeding OLA
• Projects with more vulnerabilities exceeding OLA
• Projects with more OLA extensions
• Vulnerabilities by language
• Resolution Rate
• Mean Time to Resolution (per severity)
• Open vs closed vulnerabilities per team
• Top type of vulnerabilities
• Percentage of projects covered by scans
• Mean Time to Resolve (MTTR)

Tools & Resources

• DefectDojo (Free)
• Nucleus (Paid)
• Snyk AppRisk (Paid)
• Jira (Free/Paid)
• FalsePositive.ai - Tool to determinate if a finding is a false positive (Free)

Further Reading

• Scaling vulnerability management across thousands of services and more than 150 million findings
• Vulnerability Management at Lyft: Enforcing the Cascade - Part 1
• Security Exceptions Program
• EPSS Scoring System