How to Build a Vulnerability Management Program
Six steps: discover assets, scan them, prioritize findings, assign owners, track remediation, report metrics. Most programs fail at step 4.
1. Asset Discovery
- → Deploy network discovery (Rumble, runZero, or nmap scans)
- → Cloud native: AWS Config, Azure Resource Graph, GCP Asset Inventory
- → Direct API: boto3/AWS SDK for custom inventory scripts
- → Open source: Steampipe, CloudQuery, or Cartography for multi-cloud
- → Tag assets with owner and criticality (critical/high/medium/low)
- → Automate: new assets trigger scanning within 24 hours
2. Vulnerability Scanning
- → Cloud: Wiz, Orca, or open-source Prowler
- → Containers: Trivy, Grype, Orca, or Wiz
- → Dependencies: Renovate, Dependabot, or OWASP Dependency-Check
- → Scan weekly minimum; critical assets daily
3. Prioritization
- → Pull CISA KEV list daily - these are actively exploited
- → Check EPSS scores - prioritize >10% exploitation probability
- → Map to data classification: PII/PHI/PCI assets get higher priority
- → Assess breach impact: revenue, regulatory, reputational exposure
- → Adjust for exposure: internet-facing assets get 2x priority weight
4. Ownership & SLAs
- → Map owners via: cloud tags, GitHub CODEOWNERS, org charts, or CMDB
- → Harder in large/diverse environments - start with critical assets first
- → SLAs tightening as AI accelerates remediation - be aggressive, push automation
- → Roll up alerts by base image, team, or fix approach - minimize alert fatigue
- → Escalate to managers if traction is slow, owners unknown, or SLAs slipping
5. Exception Management
- → Require: business justification, compensating controls, expiration date
- → Approval: security lead for 90 days, CISO for longer
- → Track exceptions separately; review monthly
- → No permanent exceptions - max 1 year with annual renewal
6. Metrics & Reporting
- → Track: MTTR by severity, SLA adherence %, open vuln count trend
- → Report monthly to leadership with trends and exceptions
- → Alert on regression: if open criticals increase week-over-week
External Resources
CISA KEV Catalog ↗
Known exploited vulnerabilities - remediate these first
EPSS Scores ↗
Exploit prediction scoring system
NIST NVD ↗
National Vulnerability Database
Nuclei Templates ↗
Open-source vulnerability scanner templates
Steampipe ↗
SQL for cloud APIs - query AWS, Azure, GCP inventory
CloudQuery ↗
Open source cloud asset inventory to PostgreSQL
Cartography ↗
Infrastructure asset mapping and graph analysis
AWS SDK (boto3) ↗
Direct AWS API access for custom inventory scripts
Prowler ↗
Open source cloud security scanning for AWS, Azure, GCP
Wiz ↗
Agentless cloud security platform
Orca Security ↗
Agentless cloud security and compliance