Last updated at Mon, 27 Mar 2023 22:06:19 GMT

Written in collaboration with Joel Ashman

The immutable truth that vulnerability management (VM) programs have long adhered to is that successful programs should follow a consistent lifecycle. This concept is simply a series of phases or steps that have a logical sequence and are repeated according to an organization’s VM program cadence.

A lifecycle gives a VM program a central illustrative model, defining the high-level series of activities that must be performed to reduce attack surface risk — the ultimate goal of any VM program. This type of model provides a uniform set of expectations for all stakeholders, who are often cross-functional and geographically dispersed. It can also be used as a diagnostic tool to identify bottlenecks, inefficiencies, or gaps (more on that later).

There are many lifecycle model prototypes in circulation, and they are generally comparable and iterative in nature. They break large-bucket activities into four, five, or six phases of work which describe the effort needed to prepare and scan for vulnerabilities or configuration weaknesses, assess or analyze, distribute, and ultimately address those findings through remediation or another risk treatment plan (i.e. exceptions, retire a server, etc).

While any one specific lifecycle will (and should) vary by organization and the specific tools in use, there are some fundamental steps or phases that remain consistent. This educational series will focus on introducing those fundamental building blocks, followed by practical demonstrations on how best to leverage Rapid7 solutions and services to accelerate your program.

In this first installment of a multipart blog and webinar series, we will explore the concept of a VM program lifecycle and provide practical guidance and definition for what many consider the first of the iterative VM lifecycle phases – often referred to as “discover”, “understand,” or even “planning.”

A (very) brief history of the VM lifecycle

But let’s return to the lifecycle concept for just a moment.

Having just a couple of small variables in my life flip the other way, I could have ended up a forensic historian or anthropologist. Those interests have paid dividends time and time again: to understand where you want to go, you have to understand how you got here.

The need for vulnerability management has existed since long before it had a title. It falls under what could be argued is the most important cybersecurity discipline: security hygiene. If you want nice teeth, you have to have good dental hygiene (identify cavities and perform regular maintenance). Similarly, organizations that require secure digital infrastructure must regularly assess and identify weaknesses (vulnerabilities, defects, improper configs) and then address those weaknesses through updates or other mitigation.

Two key points about how we got here:

  1. We all know the evolution of a few worms and viruses in ARPANET in the 1970s, to the much more intentionally crafted viruses targeting operating systems of the 1980s, to today’s this-ware or that-ware that have malintent baked right into the very fibers of their assembly language. In computing, the potential for misuse in the form of vulnerabilities has been with us from the start.
  2. A subtle but countervailing force has slowly but surely crept forward to stem, reflect, contain, and now often eradicate the intentions of bad actors. We the Defenders, the Protectors, the Stewards of Vulnerability Management will not be dissuaded from our obligation to manage cyber risk: to safeguard secrets, to shield corporate data, and to protect the networks that allow us to share pictures of the animals living in our homes and purchase large quantities of toilet paper online. Let’s not forget the prevention of abuse of individual identity — stopping those thieves from taking vacation savings, using those funds for their own vacation, and posting pictures on a Caribbean island from their Instagram account (true story).

We are keen to meet and overcome the challenges of modern attackers and modern infrastructure and applications (with all its containers and microservices), both now and into the bright and hopefully still shiny future.

We have met this call and at times faltered, but we have never been discouraged — and a key element that has supported us Protectors has been the lifecycle artifact. A conceptual model that conveys the continuous nature of the management of vulnerability risk and provides steadfast guidance for all stakeholders.

The lifecycle holds true

Vulnerability risk management is a team sport. It is only through careful, judicious, and sometimes aggravatingly laborious detail that a full lifecycle successfully completes. This may entail the same conversation happening no less than 5 to 8 times with the same audience. Even if the last time you said, “I didn’t ever want to have this conversation ever again.” Amidst all the chaos and confusion, the VM lifecycle is an immutable truth. Its methods may evolve and its technology take a dramatically different approach, but it will remain true.

The compendium to this blog is a webinar, which you can watch here. Both are the first in our series to freshen up perceptions and maybe introduce a few new concepts by exploring the various phases and activities that are fundamental pillars for a strong VM program and its execution. In addition, we have created a worksheet as a guide to facilitate efficient collection of information to build a VM stakeholder map. You can access the worksheet and download it here.

Join me for the next in the series to dive deeper into the initial stages or phases, or whatever preferred term you use, of the VM lifecycle.

Additional reading:


Get the latest stories, expertise, and news about security today.