A Step-by-Step Guide to the Vulnerability Management Process [+ Policy Template]

  • July 12, 2023

Anna Fitzgerald

Senior Content Marketing Manager at Secureframe


Marc Rubbinaccio

Manager of Compliance at Secureframe

In a survey by CRA Business Intelligence, nearly half of the respondents (45%) said they are very or extremely concerned about vulnerabilities in the next 12 months. 

With expanding attack surfaces and an increasing volume of vulnerabilities, organizations must take a more aggressive and proactive stance towards vulnerability management.

Keep reading to learn what vulnerability management is, what steps are involved in the process, and how you can implement a robust vulnerability management program that leverages automation.

What is vulnerability management?

Vulnerability management is a process organizations use to identify, analyze, and manage vulnerabilities within their operating environment.

Vulnerabilities are weaknesses in systems, platforms, infrastructure, or even people and processes that can be exploited by threat actors, rendering an entire organization or any of its parts susceptible to attack. 

Examples of vulnerabilities include:

  • Insecure code
  • Unpatched software
  • Cloud misconfigurations
  • Lack of encryption
  • Default authentication
  • Lack of security awareness and training
  • Improper internal controls
  • Weak or missing policies

Why is vulnerability management important?

Vulnerability management is an important aspect in risk management. Assessing the environment for technical and operations vulnerabilities will help with planning for and determining the appropriate implementation of mitigating controls.

Vulnerability management  activities such as discovering, categorizing, and prioritizing vulnerabilities, managing exposure to discovered vulnerabilities, and analyzing the root cause of vulnerabilities, is incredibly important. Vulnerability management can help an organization develop a comprehensive understanding of its risk profile, understand what controls need to be implemented for risk mitigation, and prevent repeat vulnerabilities. 

Vulnerability management is therefore an important part of an organization's overall security and compliance program.

What is a vulnerability management program?

A vulnerability management program is a program that a company adopts in order to identify, monitor, and remediate vulnerabilities in their operating environment. The program should clearly define the process, structure, and scope of vulnerability management and the responsibilities and expectations of those responsible for the management of the program as well as everyone else within the organization. 

A robust vulnerability management program can help organizations:

  • Prioritize vulnerabilities based on risk and exposure
  • Prevent the introduction of known vulnerabilities
  • Maintain compliance with security standards and regulations
  • Minimize the overall attack surface
  • Understand and improve their security posture

To achieve all this, the program should include several aspects, including vulnerability scanning, asset management, patch management, continuous monitoring, and automated solutions.

Let’s take a closer look at these aspects and their role in the vulnerability management process below.

6 steps of the vulnerability management process

To keep up with emerging threats and technologies, vulnerability management should be a continuous process.

Below we’ll cover some of the steps in the vulnerability management process using insights from the Secureframe Expert Insights webinar featuring Secureframe compliance expert Marc Rubbinaccio, and penetration testing expert Jenny Goldschmidt of Red Sentry.

For all their tips on how to simplify vulnerability management and penetration testing in particular, watch the video replay on demand.

1. Inventory

It's impossible to understand how to become secure when you don’t know what you should be protecting in the first place. 

So the first step in any vulnerability management process is to inventory and understand the assets within your environment. First ask what is important to your organization. Is it protected health information (PHI)? Or another type of sensitive customer data?

Documenting what data or assets are considered incredibly sensitive or critical versus what could be considered public is the first step to understanding your assets. Next would be mapping out how this data and assets are stored, transmitted, and processed throughout your environment and documenting this flow in a diagram. Finally, you should document all systems, resources, personnel, and services that can impact the security of this data.

2. Configuration

Once your assets and resources are accounted for, it is time to protect them.

First, check whether configuration standards were utilized when these resources were spun up. Configuration standards are baseline security best practices when configuring servers, networks, databases and most resources. These standards are usually built by the vendor or through industry best practices such as CIS benchmarks. Utilizing configuration standards is a key control for all compliance frameworks Secureframe supports, and allows you to be confident the resources you are implementing are going to be secure before you spin them up on production.  

Configuration standards are just the first step in securing resources. Implementing anti-malware, continuous security patching, and logging and monitoring are also critical for ensuring your resources and environment as a whole are protected against vulnerabilities. 

3. Vulnerability, DAST, and SAST scanning

In order to find and prioritize as many vulnerabilities as possible, consider using a combination of the scanning techniques and tools detailed below. 

Vulnerability scanning

Now that your resources and environment have been implemented using baseline configuration standards and security best practices such as frequent patching and multi-faceted security controls, it’s time to continually test these security controls through vulnerability scanning.  

Vulnerability scanning is an important requirement for compliance frameworks such as SOC 2, ISO 27001 and PCI DSS. Each compliance framework requires regular internal and external vulnerability scanning (usually quarterly). 

Internal infrastructure vulnerability scanning involves running a vulnerability scanning tool such as Nessus or OpenVAS on a virtual machine or workstation with access to your internal environment and scanning all network devices, servers, and resources for vulnerabilities, like disclosed common vulnerabilities and exposures (CVEs) and outdated operating systems and software.

Same goes for any externally-facing resources. Utilize a workstation running these tools and scan your public-facing resources. Please note if you need to comply with PCI DSS, it does require this external infrastructure scanning to be performed by a PCI DSS council approved scanner or ASV.

If you are utilizing a cloud service provider, it is likely this provider offers a service you can utilize to perform infrastructure vulnerability scanning, such as AWS Inspector or Azure defender for cloud.  

Scanning your underlying infrastructure is likely not enough to ensure you are discovering all critical vulnerabilities within your environment as a whole or to meet vulnerability scanning requirements for compliance frameworks.

DAST scanning

If you provide a public-facing application or API, these services will need to be scanned in depth as well. Utilizing dynamic application security testing (DAST) tools such as SOOS or Netsparker, you can simply enter your public-facing domain and credentials for authentication, then these scanners will spider your application to find all directories, input fields, and functions. They will also scan for OWASP top 10 vulnerabilities, including injection, broken access control, and sensitive data leakage.

SAST scanning

Another aspect of securing applications against vulnerabilities is implementing security scanning within the code review process. You can do so using static application security testing (SAST) tools such as Sudoviz or SonarQube. They will review your code repository and source code prior to you implementing the code changes into production. This will help you avoid critical security issues and vulnerabilities being released into your application. A combination of DAST and SAST scanning is highly recommended for protecting your production applications.

4. Risk assessment

Another critical step in the vulnerability management process is determining the risk of your solution and service as a whole. To do so, you should complete a risk assessment annually. This is also a compliance requirement. 

To complete a risk assessment, you should use a risk management framework like NIST 800-37. Or, if you’re a Secureframe customer, you can complete our risk assessment questionnaire.  

Risk assessment and management involves:

  • Documenting and tracking risks
  • Determining who is responsible for the management of risks
  • Determining the security impact these risks pose to your organization
  • Having a plan to remediate or mitigate these risks

5. Employee training

The next step is to focus your security efforts on what’s likely your most vulnerable asset: employees and personnel.

Phishing and other types of social engineering attacks are still one of the most prevalent ways that sensitive data is stolen. That’s why most compliance frameworks require some sort of security awareness training.

Some frameworks such as PCI DSS require focused training based on the data the organizations support as well as specific training related to the actual job function for users. For example, software developers must complete secure code training related to coding best practices and common vulnerabilities such as those in the OWASP Top Ten

Frameworks such as FedRAMP go even further and require a social engineering engagement, such as an email phishing campaign, as part of a penetration test, which we’ll discuss next.

6. Penetration testing

Now the best way to ensure you have all of the above correctly implemented would be to have a trained ethical hacker try and break into all of those security controls. That’s where penetration testing comes in.

Penetration testing is the testing of an organization’s configuration standards, vulnerability scanning, risk management, and security awareness training. This needs to be performed by a qualified penetration tester. This is either a professional that has been certified to perform penetration tests by certification bodies such as Offensive Security, SANS, or eLearnSecurity, or a professional with experience performing penetration testing. 

The scope of the penetration test is determined by the organization and can be based on compliance requirements. Frameworks such as SOC 2, ISO 27001, and PCI DSS require the following to be included in the penetration test:

  • systems that store, transmit and process sensitive data
  • critical systems
  • systems that connect to the sensitive data environment

Penetration tests usually involve a combination of gray box and white box testing. Gray box means the tester has access to certain information such as a specific range of IP addresses, domains, or a list of personnel to target. These tests are kicked off externally with no granted access to systems or applications. The penetration tester will try to find vulnerabilities and perform exploits to gain access to systems from the internet or exfiltrate data.  

Once gray box testing is exhausted, the tester will then use granted credentials to perform testing from within networks and applications using a variety of access if there are different levels of privilege. Using this access, the tester will try and escalate privilege and discover vulnerabilities throughout the full environment.

Penetration test results will be in the form of a report that describes the penetration testing methodology, proof of concepts for all vulnerabilities found, and remediation guidance. 

The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of getting PCI certified. 

Vulnerability management best practices

To ensure your vulnerability management program is set up for success, here are a few best practices to keep in mind:

  • Use automation: Resourcing is one of the top challenges that organizations face when trying to effectively manage vulnerabilities. Automated vulnerability scanning tools can help make vulnerability management more effective and faster by automatically scanning for common vulnerabilities and exposures and monitoring the health of IT assets.
  • Create consistent compliance and security training within your own organization: Often, data and security breaches happen through human error, so providing ongoing security awareness education can help lower the internal risk of a breach occurring. 
  • Set up a vulnerability management policy: A vulnerability management policy defines your organization’s approach to vulnerability management. It is essential for maintaining a process and procedures for implementing a vulnerability management program.

Vulnerability management policy template

A vulnerability management policy defines an approach for vulnerability management to reduce system risks and processes to incorporate security controls. To help you get started creating a policy for your organization, we’ve created a customizable template that you can download below.

How to automate vulnerability management

Automating the vulnerability management process can help your organization save time and respond to threats faster.

Automation can be applied to several aspects of vulnerability management, including: 

  • Asset inventory: An automation platform can create an inventory of all your assets based on the integrations you connect to the platform and ensure your personnel’s devices, company’s cloud assets, and version control repositories are all maintained. 
  • Vulnerability scanning: Automation platforms pull CVE data from multiple connected integrations, organize vulnerabilities in one place, and automatically alert you when vulnerabilities are discovered.
  • Risk management: With an automation platform, you can set up a risk register to track risks in a single place. This can be updated when your organization introduces new services, wants to incorporate findings from internal and external audits, or respond to changes in the business or technological environment. 
  • Testing and training: An automation platform can allow you to set up notifications for required regular tasks throughout the year, including vulnerability scanning and penetration testing. You can also set up reminders for personnel to complete security awareness training.
  • Continuous monitoring: An automation platform can continuously monitor your security controls and their compliance with regulatory and industry frameworks.

When looking for an automated vulnerability management product, look for one that offers an easy-to-use platform in addition to a team of security and compliance experts that can guide your organization through every step of the vulnerability management process.

How Secureframe can help companies manage vulnerabilities 

Secureframe provides a one stop shop for you to be able to manage and organize all of your compliance framework requirements in one place, including your vulnerability management program.

With Secureframe you can:

  • Integrate your cloud platform and developer tools to see all of your vulnerabilities from services like AWS inspector and Github in one place. 
  • Complete a risk questionnaire annually and establish your risk register where you can continuously manage your risks throughout the year.
  • Receive in app guidance regarding security controls based on the specific resources you are utilizing within your environment. For example, if you set up an integration with AWS, you’ll receive tests related to security best practices against the resources you are using within your AWS account.
  • Get guidance on Secureframe tests and answers to any questions you may have from compliance managers.
  • Get access to a partner network of trusted auditors and pen testing firms

Learn more about how Secureframe can help you manage vulnerabilities by scheduling a personalized demo today.


What are the steps of vulnerability management?

The steps of vulnerability management are: inventory,

  • Asset inventory
  • Secure configuration
  • Vulnerability scanning
  • Risk assessment
  • Employee training
  • Penetration testing

What is vulnerability management in cybersecurity?

In cybersecurity, vulnerability management is the process of identifying, analyzing, and managing vulnerabilities within an operating environment in order to keep your organization's systems, networks, and enterprise applications safe from cyberattacks and data breaches.

How to build a vulnerability management program?

Building a vulnerability management program requires several steps, such as:

  1. Defining the process, structure, and scope of vulnerability management at your organization
  2. Defining the responsibilities and expectations of those responsible for the management of the program
  3. Defining the responsibilities and expectations of everyone else within the organization
  4. Making an inventory of your assets
  5. Using scanning techniques and tools to identify vulnerabilities
  6. Performing risk assessments
  7. Conducting regular employee training
  8. Having a qualified penetration tester try and break into the controls you've established

What are vulnerability management tools?

Vulnerability management tools use automation to make vulnerability management more effective and faster. An example is automated vulnerability scanning tools. These automatically scan for common vulnerabilities and exposures and monitor the health of IT assets.