Vulnerability Management: Systematisches Schwachstellenmanagement in der Praxis
Vulnerability management is more than just regular scans—it is a continuous process involving detection, assessment, prioritization, remediation, and verification. This article explains the full VM program: scanner selection, CVSS vs. EPSS prioritization, patch SLAs, metrics, and integration with DevSecOps and ISMS.
Table of Contents (5 sections)
Vulnerability Management (VM) is the continuous process of identifying, assessing, prioritizing, and remediating vulnerabilities in IT systems. It is a fundamental component of every ISMS and is explicitly required by ISO 27001 (A.8.8), NIS2, and the CIS Controls (Control 7).
The Vulnerability Management Cycle
VM Process (continuous, not a one-time event!):
Phase 1: Asset Discovery
→ What are we scanning, anyway?
→ Complete asset inventory as a basis (without it = blind spots!)
→ Scope: all IP ranges, cloud resources, web apps
Phase 2: Vulnerability Scanning
→ Regular authenticated scans
→ Unauthenticated: finds fewer issues, but identifies externally visible risks
→ Authenticated: complete picture of installed software + patches
→ Frequency: critical systems weekly, all others monthly
Phase 3: Vulnerability Assessment
→ Evaluation of identified vulnerabilities
→ CVSS Score: Severity (technical)
→ Context: Is the system exposed? Does it contain sensitive data?
→ False Positive Filtering: Which findings are valid?
Phase 4: Prioritization
→ Not all CVSS-10 vulnerabilities are equally urgent
→ EPSS: How likely is exploitation within the next 30 days?
→ Business Impact: Which systems are critical to operations?
Phase 5: Remediation
→ Patch: Apply the update
→ Mitigate: Implement a workaround if no patch is available
→ Accept: Documented risk with justification
→ Meet SLA: See Patch SLA table
Phase 6: Verification
→ Was the patch actually applied?
→ Rescan after patch: Has the finding disappeared?
→ Close-out: Close and document the finding
Phase 7: Reporting and Metrics
→ What is the trend? Are we improving or worsening?
→ Mean Time to Remediate (MTTR) per severity
→ Open findings over time: decreasing risk?
→ Management report: Executive summaryCVSS vs. EPSS - how to prioritize?
CVSS score alone is insufficient:
CVSS (Common Vulnerability Scoring System):
→ Assesses the technical severity of a vulnerability (0-10)
→ Considers: attack path, complexity, privileges, impact
→ Problem: does NOT assess how likely exploitation is
→ Approx. 25,000 new CVEs/year → CVSS 9-10: still hundreds!
→ Result: Prioritization by CVSS → "all 9.0+ first" → too many
EPSS (Exploit Prediction Scoring System):
→ FIRST.org initiative, free
→ Estimates: Probability that a CVE will be actively exploited in the next 30 days
→ 0–1 (0%–100% probability)
→ Based on: POC availability, threat intelligence, scan data
→ Updated daily!
Example prioritization matrix:
CVE CVSS EPSS Recommendation
CVE-2021-44228 10.0 0.975 IMMEDIATE (Log4Shell, actively exploited!)
CVE-2023-12345 9.8 0.004 Less urgent (no active exploit)
CVE-2022-67890 7.5 0.89 URGENT (low CVSS, but actively exploited!)
→ CVE-2023-12345 is less urgent than CVE-2022-67890 (7.5) despite a CVSS score of 9.8!
→ Combining CVSS + EPSS: the best approach
CISA KEV (Known Exploited Vulnerabilities):
→ cisa.gov/known-exploited-vulnerabilities-catalog
→ Officially exploited in the wild, free of charge
→ U.S. federal agencies: Mandatory patching within deadlines
→ For everyone: best "patch immediately" list
→ Updated daily
→ Subscribe automatically: API or RSS feed
Vulnerability Context (own environment):
→ Is the system accessible on the Internet? (x3 urgency)
→ Does the system contain sensitive data? (x2 urgency)
→ Are there mitigations that effectively lower the CVSS score?
(Firewall blocks the attack vector → effectively unexploitable)Scanners and Tools
Vulnerability Scanner Comparison:
Open Source:
OpenVAS / Greenbone Community Edition:
→ Complete solution: Scanner + Management + Reporting
→ Daily updated NVTs (Network Vulnerability Tests)
→ Docker-based deployment:
docker pull greenbone/community-edition
docker compose -f docker-compose.yml -p greenbone-community-edition up
Authenticated scan (significantly more findings!):
→ Store SSH keys or Windows credentials
→ Scan policy: Full and Very Deep
→ Frequency: weekly for servers, daily for critical systems
Nessus Essentials (free for up to 16 IPs):
→ Industry-leading scanner, Essentials version free
→ Scan up to 16 hosts
→ Plugins: updated daily
→ Good for: getting started and small environments
---
Commercial:
Tenable Nessus Pro / io:
→ Unlimited hosts
→ Web-based management
→ CI/CD integration
→ Pricing: starting at ~3,000 EUR/year
Rapid7 InsightVM:
→ Live dashboards, trending
→ Agent-based for laptops (even when off-network)
→ Integration with SIEM and ticketing systems
→ Enterprise pricing
Qualys VMDR:
→ Cloud-based, no local scanner required
→ Very broad platform (WAF, policy compliance, PC)
→ Focus on large enterprises
---
Specialized scanners:
Web applications:
→ OWASP ZAP (free)
→ Burp Suite Enterprise (commercial)
→ Nuclei (free, template-based)
→ Nikto (free, old but fast)
Containers:
→ Trivy (free, Aquasecurity)
→ Grype (free, Anchore)
→ Snyk Container (freemium)
Cloud configuration:
→ Prowler (free, AWS/Azure/GCP)
→ ScoutSuite (free)
→ Wiz (commercial, leading)
Code dependencies (SCA):
→ Snyk (freemium)
→ OWASP Dependency Check (free)
→ GitHub Dependabot (free for GitHub repos)Patch SLAs and Metrics
Patch SLAs (Service Level Agreements):
Severity Attack Surface Patch SLA
Critical (9-10) External 24 hours
Critical (9-10) Internal 72 hours
High (7-8) External 7 days
High (7-8) Internal 14 days
Medium (4-6) All 30 days
Low (0-3) All 90 days (or accept)
CISA KEV: Always immediately, regardless of CVSS!
Exception Management:
→ SLA cannot be met? → Documented risk acceptance
→ "CVE-2023-XXXXX: Patch not available, Mitigation: WAF rule active"
→ All exceptions: Approval by CISO/Management
→ Quarterly review of open exceptions
VM Metrics for Management Reporting:
Metric Target Value Formula
Vulnerability Discovery < 48h Time until new CVE in the system
Patch Compliance Rate > 95% Patched VMs / All VMs
Mean Time to Remediate < 7d (CRIT) Average of all remediated findings
Overdue Findings 0 Critical/High outside SLA
Attack Surface Reduction Trend ↓ Findings over time
Scanner Coverage > 95% Scanned assets / all assets
Reporting template (monthly):
□ New vulnerabilities this month: X
□ Resolved vulnerabilities: Y
□ Open Critical: Z (Trend: ↑/↓)
□ SLA compliance: X% (Target: >95%)
□ Top 5 riskiest assets: [List]
□ Recommendations: [Next steps]Integrating VM into Development (Shift Left)
Vulnerability Management in the SDLC:
Code phase (developer workstation):
→ IDE plugin: Snyk or SonarLint immediately highlights CVEs in dependencies
→ Pre-commit: pip-audit / npm audit before every commit
→ Cost: 0 EUR, Time: 5 minutes setup
CI/CD phase (pipeline):
→ SCA scan: Check all dependencies for CVEs
→ Container scan: Trivy on every built image
→ IaC scan: Checkov on Terraform/CloudFormation
→ Fail-Fast: Critical = Stop the pipeline!
Staging phase:
→ DAST: ZAP or Nuclei against running application
→ Find web app vulnerabilities before production
Production phase:
→ Continuous scanning (weekly/daily for critical systems)
→ RASP: Runtime Application Self-Protection (optional)
→ WAF: Virtual patches until a real patch is available
"Virtual Patching" via WAF:
→ CVE known, patch not yet available?
→ WAF rule blocks attacks on this specific vulnerability
→ Short-term: Protection while the patch is being prepared
→ NOT permanent! Not a substitute for a real patch.Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
M.Sc. IT-Sicherheit mit über 5 Jahren Erfahrung in offensiver Sicherheitsanalyse. Leitet die Durchführung von Penetrationstests mit Spezialisierung auf Web-Applikationen, Netzwerk-Infrastruktur, Reverse Engineering und Hardware-Sicherheit. Verantwortlich für mehrere Responsible Disclosures.
OSCP+ OSCP OSWP OSWA
