Vulnerability
Definition
A weakness in a system, application, or process that could be exploited to cause harm. Like an unlocked door in an otherwise secure building.
Use Cases
- Equifax: Preventing exploitation of known web application vulnerabilities (e.g., unpatched components). — After the 2017 incident involving an unpatched Apache Struts vulnerability (CVE-2017-5638), organizations commonly strengthened vulnerability management by improving asset inventory, patch SLAs, and continuous scanning to identify outdated software and missing patches. (Better vulnerability visibility and faster patching reduce the window of exposure and the likelihood of large-scale compromise.)
- GitHub: Reducing vulnerabilities in open-source dependencies used across many projects. — GitHub implemented automated dependency vulnerability detection and alerting (via its security features such as Dependabot alerts) to identify known vulnerable library versions and propose upgrades through pull requests. (Faster remediation of known vulnerable dependencies and reduced risk from supply-chain and dependency-related vulnerabilities.)
Frequently Asked Questions
- What's the difference between a Vulnerability and a Threat?
- A vulnerability is a weakness (like an unpatched server or misconfiguration). A threat is something that could take advantage of that weakness (like a hacker, malware, or an automated bot). Vulnerabilities are what you fix; threats are what you defend against.
- When should I address vulnerabilities in cloud environments?
- Continuously. In practice, scan regularly (or continuously) and prioritize fixes based on risk: internet-exposed assets first, then high-severity issues (e.g., critical CVEs), then vulnerabilities affecting sensitive data or production systems. Also re-scan after changes like new deployments, OS image updates, or configuration changes.
- How much does vulnerability management cost in the cloud?
- Costs vary based on tooling and scale. You may pay for managed scanning services (often priced per resource, per scan, or per protected workload), plus indirect costs like engineering time to patch, maintenance windows, and potential performance/testing overhead. Open-source scanners can reduce license costs but still require time to operate and integrate into CI/CD.
Category: security
Difficulty: basic
Related Terms
See Also