Applying Lessons Learned for the Next Generation Vulnerability Management System

by John Dittmer
Sept. 1, 2017 0 comments SANS Institute threats/vulnerabilities

Vulnerability management has been defined as the "cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities," (Cornell, 2009) especially in software and firmware. As such, it is integral to “Information Assurance” for most organizations with networks. In order to conduct vulnerability management, many organizations, such as the United States Department of Defense (DoD), have created systems such as the Vulnerability Management System (VMS). However, the current version of VMS is very cumbersome and it is about to be replaced by the Continuous Monitoring and Risk Scoring (CMRS) system. CMRS will integrate several Information Assurance activities with vulnerability management. However, there is room for improvement, even with the implementation of the new system. This paper will offer solutions for improving the vulnerability management process with either improvement to future versions of CMRS or other future systems.