IntermediateLesson 6

Vulnerability Management

ELI5 Explanation

Not all bugs are equal. Vulnerability management helps teams fix the riskiest issues first instead of trying to fix everything at once.

Technical Explanation

Findings are categorized by severity (Critical, High, Medium, Low) and prioritized using exploitability, internet exposure, data sensitivity, and business criticality. Effective programs define remediation SLAs, exception workflows, and verification scans after fixes.

Visual

Detect
Prioritize
Fix
Verify

Hands-on Commands

Findings triage and SLA checks
veracode findings list --app orders-service --status open
veracode findings list --severity critical,high
veracode findings assign --id VERA-1024 --owner team-orders
veracode policy check --app orders-service
veracode scan start --app orders-service --baseline false

Debugging Scenario

Release is blocked by high severity finding in non-internet-facing admin tool. Security and engineering review exploitability and compensating controls, approve time-bound exception, and schedule fix in next sprint with mandatory revalidation.

Warning: Severity alone is not enough; always factor exposure, exploit path, and business impact.

Interview Questions

Beginner

  • What do Critical/High/Medium/Low mean?
  • Why do teams use remediation SLAs?
  • What is a false positive?
  • What is risk acceptance?
  • Why run verification scans after fixing?

Intermediate

  • How do you build a risk-based prioritization model?
  • How do you handle backlog of old vulnerabilities?
  • How do you tie findings to product owners?
  • How do you measure vulnerability management performance?
  • When should an exception be approved?

Scenario-based

  • Critical issue found on internal app. Do you stop release?
  • Fix introduces regression risk in peak season. How do you decide?
  • Repeated findings appear every sprint. What systemic change is needed?
  • Compliance asks for evidence of closure. What proof do you provide?
  • Team misses SLA repeatedly. How do you enforce accountability?

Real-world Use Case

An enterprise AppSec team moved from severity-only triage to business-risk scoring and reduced overdue high-risk findings by 38%.

Summary

Vulnerability management turns raw scan output into practical remediation decisions. Next lesson integrates Veracode checks directly into CI/CD pipelines.

PreviousSCA