Vulnerability management is a term that describes the various processes, tools, and strategies of identifying, evaluating, treating, and reporting on security vulnerabilities and misconfigurations within an organization's software and systems. In other words, it allows you to monitor your company’s digital environment to identify potential risks, for an up-to-the-minute picture of your current security status.
In broad terms, a vulnerability is a weakness—a flaw that can be exploited. In computer science, a security vulnerability is essentially the same thing. Security vulnerabilities are targeted by threat actors. These attackers attempt to find and exploit vulnerabilities to access restricted systems.
Identifying vulnerabilities throughout your systems, networks, and application requires specific tools. A vulnerability scanner is a program that is designed to move through your digital systems and discover any potential weaknesses, making vulnerability management possible.
Risk-based vulnerability management
An extension of vulnerability management, risk-based vulnerability management programs are designed to address the weaknesses inherent in digital systems, including software, hardware, and infrastructure. Risk-based vulnerability management uses machine learning to extend vulnerability management beyond traditional IT assets, incorporating cloud infrastructure, IoT devices, web apps, and more. This allows businesses access to relevant insights across their entire attack surface.
Risk-based vulnerability management also allows for more accurate, risk-based prioritization. Your company can focus first on identifying and repairing the weaknesses that are most likely to result in a breach, leaving less-critical vulnerabilities for later.
Vulnerability management vs. vulnerability assessment
Both vulnerability management and vulnerability assessment contribute to effectively addressing and resolving cybersecurity vulnerabilities. However, vulnerability management and vulnerability assessment are not synonymous terms.
A vulnerability assessment is only the first phase of vulnerability management. Most companies use scanning tools to look at devices on their network and collect information about the version of software that is installed and compare it to known vulnerabilities announced by software vendors. Multiple scanning tools, with or without agents or credentials, are typically required to cover the range of software in use (applications, operating systems, cloud service providers, etc.). Companies run scans at scheduled intervals -- usually monthly or quarterly -- and then use the list, often emailed as a spreadsheet, to assign upgrade or patching tasks. If a zero-day vulnerability is announced, one which is actively being exploited and for which a patch may not yet be available, a company may launch an on-demand scan that can take days or weeks depending on the size and configuration of their infrastructure.
Conversely, vulnerability management is a lifecycle, not just a scheduled or ad hoc scan. Instead, it is an ongoing program that moves from assessment into prioritization and remediation. It uses multiple data sources to continually assess and reassess the current state of your software and services. By adding business, threat, exploitation, and risk context to the software information generated by the assessment tools, a vulnerability management system can efficiently call attention to the vulnerabilities that must be addressed immediately and even suggest the best solution or mitigation. Constant assessment, evaluation, repair, and reporting on vulnerabilities allows you to manage and address security vulnerabilities on a day-to-day basis. This means that weaknesses can be discovered more quickly, the highest impact issues can be addressed first, and fewer vulnerabilities get overlooked.
Simply put, a vulnerability assessment gives you a snapshot of your IT software stance; vulnerability management offers constantly evolving, real-time intelligence, remediation guidance, and reporting.