Vulnerability management defines the lifecycle for identifying, prioritizing and remediating vulnerabilities. Based on various risk factors the critical threats should be remediated swiftly. The goal is to fix the vulnerabilities in order to eliminate the associated risk.
Newly discovered or reported vulnerabilities are the input for vulnerability management. Potential sources are vulnerability scanners or security advisories published by a vendor. At this point new vulnerabilities are rated based on their technical risk. The next step requires an evaluating of the actual business risk for the affected assets. Existing controls and mitigating factors could reduce the risk rating. Exposure or compliance requirements could increase the risk rating.
Usually, the amount of reported findings by a vulnerability scanner is quite high. Also, new security advisories are published regularly. Paired with the number of assets within a company this can result in a big workload. Consequently, a tool is recommended to support the process. Currently, no open-source tool are a match for the commercial services.