How Vulnerability Management Has Evolved And Where It’s Headed Next

The blocking and tackling work of scan management is becoming a commodity, writes Lisa Xu, the CEO of NopSec in this Expert Insight. What organizations need now is complete visibility of their IT infrastructure and business applications.

Around the turn of the 21st century, vulnerabilities were chiefly addressed by someone in the IT department periodically running a manual scan for known vulnerabilities. At the time, organizations didn’t have too many vulnerabilities to worry about. According to CVE details, there were only about 1000 disclosed vulnerabilities in the year 2000.

Various vulnerability management data reports indicate that somewhere between 18,000 and 30,000 known vulnerabilities were reported in 2021. “Someone” in IT running a “manual” scanner can no longer provide even a hint as to which vulnerabilities an organization should be worried about today.

Episode 232: Log4j Won’t Go Away (And What To Do About It.)

In this article, I’ll explore the origins of vulnerability management, how it has evolved, where it’s going, and what business leaders need to do to implement a cyber threat and exposure management strategy to support their digital transformation and application-centric business strategy.

How vulnerability management has evolved

Vulnerability management has changed because the world has changed. Digital transformation has revolutionized products, processes, and entire organizations. Over the last decade, companies, governments, and organizations of all types have adopted digital technologies—specifically cloud services, social media, remote work, and data analytics—at a rapid rate.

Lisa Xu is the CEO of Nopsec.

Since 2005, security teams have leaned heavily on a Common Vulnerability Scoring System (CVSS scores) to gauge the severity of vulnerabilities. While CVSS scores helped teams identify and understand some details of vulnerabilities found in the wild, they lacked any context for specific organizations and could not contribute meaningfully to understanding an organization’s cyber risk.

To add an element of organization-specific context to CVSS scores, risk-based vulnerability management (RBVM) vendors and independent threat intelligence (TI) providers began integrating TI with CVSS scores to offer organizations a logical basis for vulnerability remediation. These legacy RBVM tools and providers offer a fuller picture that includes what vulnerabilities are out there, and how and where to exploit them.

From the information available from legacy RBVM providers, teams can build a picture of CVSS severity (what bad things could happen if threat actors exploit that vulnerability) coupled with threat intelligence to add some color around how, where, and why threat actors are leveraging the weakness. While helpful, it is a somewhat cumbersome and time-consuming process and still lacks business criticality context for individual organizations. In short, it’s still not enough information for teams to make confident risk prioritization choices about how to allocate their scarce security resources.

Episode 177: The Power and Pitfalls of Threat Intelligence

With increased pressure to meet the scalability and flexibility demands of consumers, organizations have adopted an application-centric strategy. The massive cloud adoption seen today across all business sectors has enabled enterprises to leverage the scalability of the cloud to shorten product time to market (TTM), creating a new level of customer expectations. Organizations unwilling or unable to adopt new technologies are quickly being left behind.

This insatiable appetite for technology has introduced new vulnerabilities and vastly expanded attack surfaces. For modern enterprises, vulnerability management has expanded from on-premise servers and network devices to include distributed endpoints, cloud servers, containers, and mobile applications.

Because of the new ways in which users consume data, use data, and make decisions based on data, the focus on vulnerability management has moved from on-premise systems to application-centric business strategies. Application-centric strategies adopted to accelerate the customer experience have accentuated the need for organizations to increase speed and improve quality by shifting development tasks, including security, to the left as early as possible. How vulnerabilities are discovered, prioritized, and remediated are now embedded in the software development lifecycle (SDLC).

What’s in store for the future of vulnerability management

Much of the blocking and tackling work of scan management is becoming a commodity. The unique value of security services lies in a solution’s ability to provide context-rich prioritization, remediation, and program reporting.

Forward-looking enterprises outsource tactical execution, including vulnerability management and cross-functional program management, to managed service providers. As business models have shifted from SaaS to managed services enabled by SaaS, customer buying behaviors have changed. Instead of buying security software, as historically has been the case, customers now seek to buy security outcomes.

The balance between in-house security staff and managed security service providers (MSSPs) may change for an organization. The quantity, value, and criticality of assets, whether cloud or on-premises, will also change. While tooling, defects, and threats will all change, an organization’s strategy for managing risk should always remain the same.

Because no organization has unlimited resources to battle cyberattacks, it needs to weigh costs and benefits to make impactful decisions. Context-rich risk management must be fundamental to the modern enterprise’s cyber strategy.


Legacy RBVM solutions are inadequate. Organizations need complete visibility of their IT infrastructure and business applications. Teams must centralize risk management, break down DevOps and security silos, visualize their entire attack surface, and apply business-critical context and threat intelligence to vulnerability prioritization.

(*) Disclosure: This article was sponsored by NopSec. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.