​
Vulnerability Management Life Cycle
Meaning behind each step of the Vulnerability Management Life Cycle:
-
Discover - identify and create an inventory of all assets
-
Prioritize Assets - categorize assets by priority and secure high impact systems first
-
Assess - ensure scans and checks are done continuously for vulnerabilities
-
Report - create reports tailored with information depending on intended recipients use
-
Remediate - detail a plan to secure vulnerable systems following priority and ensure documentation of each step
-
Verify - through follow up scans check that the vulnerability / threats have been secured
CVE - Common Vulnerabilities and Exposures
CVE's are identifiers for openly known vulnerabilities to provide a common platform to evaluate and store a database of security issues. Thus allowing a standardize vulnerability information system and ease of communication.
​
Maintained by the MITRE Corporation who collect and catelogs using the Security Content Automation Protocol (SCAP). Which evaluates and assigns each vulnerability a unique identifier.
CVSS - Common Vulnerability Scoring System
CVSS is a way to measure the impact of the vulnerabilities which is also known as the CVE score.
The current iteration of the CVSS is v3.1 which uses two columns (Severity and Base Score) from None to Critical and 0 to 10.0.
​
For organizations that don't use CVSS there is a NVD calculator that can be used to perform this calculation.
Sources:
-
https://en.wikipedia.org/wiki/Vulnerability_management
-
https://www.cdc.gov/cancer/npcr/tools/security/vmlc.htm
-
https://www.coalfire.com/the-coalfire-blog/june-2018/cyber-engineering-primer-vulnerability-mgmt
-
https://www.redhat.com/en/topics/security/what-is-cve
-
https://beyondsecurity.com/vulnerability-assessment-requirements-cve-explained.html
-
https://www.imperva.com/learn/application-security/cve-cvss-vulnerability/